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Chapter 1 

Foreword 



The technical information and intellectual property rights for the vulnerabilities summarized within this 
portfolio are available for purchase under the terms of your contract. This portfolio is intended to 
provide a current listing of available vulnerabilities with enough information to be able to make an initial 
determination of interest for any particular vulnerability. If there is a piece of information regarding any 
vulnerability that you feel would assist in making such a determination, please engage in a direct dialog 
with one of our representatives. 

1.1 Document Formatting 

The format of this document provides structured content for convenient navigation. Each Vendor has it's 
own "chapter", each target system or product has it's own "section", and each individual vulnerability 
has it's own "subsection". By perusing the vulnerability listing provided by the Table of Contents at 
the beginning of this document, any vulnerability of interest should be easily identifiable. Your PDF 
document reader should then allow you to click directly on the vulnerability ID or name in the Table of 
Contents listing and navigate directly to the summary information for that vulnerability. 

1.2 Properties and Definitions 

1.2.1 Vulnerability Properties 
• Asset Availability 

This property describes the methods of purchase that the asset is available to be purchased as. 
Methods include: 

— Exclusive Sale - The asset is available for one-time, exclusive sale. 

— Non-exclusive Sale - The asset is available for non-exclusive sale, indicating that it may be 
sold multiple times to different Customers. 

— Monthly License - The asset is available to be licensed for use on a month-by-month basis. 
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• Asset Type 

This property describes the type of asset that is listed, which will either be Brokered or Internal. 
Brokered assets are assets that we are marketing on behalf of a Client whereas Internal are internally 
developed assets from our own R&D. Brokered assets will be further denoted whether they are 
available for Immediate Delivery or if we will perform testing and validation after receiving a 
Purchase Order and before delivery (Delayed Delivery). 

• Expiration Date 

This is the date that availability of the vulnerability listed through this channel will expire and it 
will be marketed or sold through other channels. This may include outside exclusive sale, sale to a 
vulnerability purchasing program or bug bounty, or direct disclosure to the affected vendor. 

• Listing Date 

This is the date that the vulnerability was originally listed in our portfolio. This date can be used 
to gage the relative maturity of a vulnerability. 

• Platforms 

Some software products are cross-platform or available for multiple platforms. This collection of 
properties describes the platforms tested and assumed to be affected by the vulnerability as well as 
tested unaffected platforms. 

- The "Affected Platforms Tested" property identifies platforms that have been tested and 
verified vulnerable. 

- The "Affected Platforms Assumed" property describes platforms that are assumed to be 
vulnerable but have not been explicitly tested. 

- The "Unaffected Platforms" property describes versions that have been tested and verified 
unaffected. 

Examples include values such as: 

- All Microsoft Windows 

- x86-32 Microsoft Windows XP 

- x86-32 Microsoft Windows XP SP3 

- x86-64 Microsoft Windows Vista SP2 FP(2012.05.01) 

- Linux Kernel 2.6.23 

- Apple Mac OS X 10.6.1 

- Solaris 9 

The indicator FP() indicates that a platform has been fully patched to the indicated date. 

Note that Platforms are listed with reference numbers that are used in the Vulnerability Test Matrix. 

• Reliability Rating 

This property describes how reliable triggering the vulnerability is, and is rated anywhere from 
Completely Reliable (100%) to Cross Your Fingers and Pray (<10%) 

• Target 

This property describes the vulnerable target. This may include software such as an application, 
library, or firmware, or hardware such as an integrated circuit, logic board, or hardware system such 
as a hardware radio or mobile cellular device. 
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• Versions 

This collection of properties describe what version or versions of the affected software or hardware 
has been tested or is assumed vulnerable, as well as versions tested and verified unaffected. 

— The "Affected Versions Tested" property identifies versions that have been tested and verified 
vulnerable. 

— The "Affected Versions Assumed" property describes versions that are assumed to be vulner- 
able but have not been explicitly tested. 

— The "Unaffected Versions" property describes versions that have been tested and verified 
unaffected. 

• Vulnerability Class 

This property describes the type of vulnerability. Example values include the following: 

— Design/Logic Flaw 

— Memory Corruption 

— Input Validation Error or Omission 

— Misconfigu ration 

— Information Disclosure 

— Cryptographic Flaw 

— Denial-of-Service 

1.2.2 Vulnerability Test Matrix 

The Vulnerability Test Matrix is intended to provide an exact listing of which vulnerable versions have 
been tested in combination with which platforms. The matrix lists vulnerable versions down the left side of 
the matrix (rows) and platforms across the top of the matrix (columns). Platforms are listed as numbers 
corresponding to their place in the Vulnerability Information's Platforms list. Individual combination cell 
values are as follows: 

• "V" - Combination has been tested as Vulnerable 

• "N" - Combination has been tested as Not Vulnerable 

• blank - Combination is untested 

1.2.3 Asset Deliverables 

• Documentation 

This property describes the documentation deliverables of the asset. 

• Exploits 

This property describes the exploit and proof-of-concept deliverables of the asset. 
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1.2.4 Exploit Properties 

The Exploit Properties section may be duplicated any number of times to describe all of the exploit and 
proof-of-concept deliverables that the asset includes. 

• Attack Vector 

This property describes the implemented or most effective perceived attack vector for exploitation 
of the vulnerability. Values include: 

— Local - The vulnerability requires local access to the target for exploitation. 

— Remote - The vulnerability can be exploited remotely across a network. 

— Client-Side - The vulnerability resides in client software such as a web browser, email appli- 
cation, media player, etc. 

— File Format - The vulnerability is exploited via a malicious file. 
This property may also be augmented by a qualifier. Qualifiers include: 

— Post-auth - The attack vector requires authentication of some form prior to exploitation. 

— Passive - The attack is passive in that it requires action on the part of the target to trigger 
the payload. 

• Development Goal 

This property describes our Client's development goal and indicates the development target should 
our Client be actively developing the vulnerability. Values include: 

— Information - A dossier of information about the vulnerability that does not include an exploit. 

— Instructions - A written instruction set describing how to exploit the vulnerability. 

— Proof-of-Concept - An executable, malicious file, malicious web page, or other material that 
triggers or otherwise demonstrates the existence of the vulnerability. 

— Exploit - An executable, malicious file, malicious web page, or other material that leverages 
the vulnerability to accomplish something benign such as execute a harmless application, 
spawn a dialog box, etc. 

— Professional Exploit - An exploit that contains an operational payload that accomplishes 
a task such as the addition of an administrative user on the system, opens a backdoor port 
on the network interface, spawns a command shell and connects it to a remote host, etc. 
This also includes exploits written to integrate with an attack or exploitation framework that 
can provide the exploit with an operational payload such as Metasploit, CORE IMPACT, or 
Immunity Canvas. 

— Utility - An executable that does not exploit the vulnerability itself but otherwise assists in 
the exploitation of the vulnerability. Utilities would include applications such as malicious file 
exploit generators, network scanners, etc. 

• Development Status 

This property indicates whether our Client is actively developing the vulnerability. Values are either 
Active, Inactive, or Complete. 
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• Exploit Features 

This property lists any additional features that the Proof-of-Concept or exploit provides that are 
not covered by the other listing properties. Examples of such items are: 

— Metasploit Exploit Module 

— ASLR Handled 

— DEP Bypass 

— ROP Payload 

— Encoding-based Evasions 

• Exploit ID 

This property is an identifier for when referring to the specific exploit or proof-of-concept deliverable 
described. 

• Exploitation Context 

This property describes the context within which the successful result of exploitation will operate; 
usually, the level of access to the target that is obtained. Values include: 

— User - The user running the software or application. 

— SuperUser - Some elevated level of access beyond a regular user. 

— Root - The root account on a UNIX or UNIX-like operating system. 

— Administrator - Administrator access on a Microsoft operating system. 

— Kernel - Within the context of the running kernel. 

— File - Access to or the contents of a particular file. 

• Exploitation Impact 

This property describes the result from exploitation of the vulnerability. Values include: 

— Code Execution - Arbitrary machine code execution can be achieved. 

— Command Execution - Arbitrary shell commands are able to be executed. 

— Denial of Service - The target becomes unavailable or unresponsive. 

• Exploitation Indicators 

This property describes indicators left on a target system or within target data that may indicate 
that the target had been attacked. This includes objects left in the filesystem, event or system 
logs, crashing processes, etc. 

• Prerequisites 

This property describes any components or software other than the vulnerable software that must 
be present on the target system for the exploit or Proof-of-Concept to function as expected. 

• Reliability Rating 

This property describes how reliable the developed exploitation method is, and is rated anywhere 
from Completely Reliable (100%) to Cross Your Fingers and Pray (<10%) 
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• Supported Targets 

This property explicitly lists the targets supported by the Proof-of-Concept or exploit. Targets are 
combinations of vulnerable versions and platforms. Examples of targets are as follows: 

- Java 1.6.24 on Internet Explorer 8 on Windows XP SP3 

- 2.3.x on Windows 7 SP1 

- 2.3.14 on All Microsoft Windows 

• Windows Integrity Level 

This property describes the Windows integrity level[l] achieved by exploitation on Windows plat- 
forms that have User Access Controls implemented. On Windows platforms with UAC, processes 
execute at a given integrity level which may or may not limit that process's access to certain system 
resources. Integrity levels are listed below: 

- Low (IE Protected Mode) 

- Medium (User) 

- High 

- System 
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Chapter 2 



Adobe Systems Incorporated 



"Adobe[2] revolutionizes how the world engages with ideas and information. Our award-winning software 
and technologies have set the standard for communication and collaboration for more than 25 years, 
bringing vital and engaging experiences to people across media and to every screen in their lives, at work 
and at play. 

The impact of Adobe software is evident almost everywhere you look. Whether people are collaborating 
at work, transacting online, or socializing with friends, businesses use Adobe software and technologies 
to turn digital interactions into richer, high-value experiences that reach across computing platforms and 
devices to engage people anywhere, anytime. 

With a reputation for excellence and a portfolio of many of the most respected and recognizable software 
brands, Adobe is one of the world's largest and most diversified software companies." 



2.1 Adobe Reader 

'Adobe Reader[3] software is the global standard for electronic document sharing. It is the only PDF file 
viewer that can open and interact with all PDF documents. Use Adobe Reader to view, search, digitally 
sign, verify, print, and collaborate on Adobe PDF files." 

14-004 Adobe Reader Client-side Remote Code Execution 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 




Non-Exclusive Purchase 




Monthly License 


Listing Date 


2014-03-31 


Expiration Date 
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Vulnerability Information 



Target 


Adobe Reader 


Vulnerability Class 


Logic Flaw 


Affected Versions Tested 


11.0.06 
11.0.04 
11.0.03 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-64 Microsoft Windows 8 (FP:2014-03-24) 
2: x86-32 Microsoft Windows 8 (FP:2014-03-24) 
3: x86-32 Microsoft Windows 7 SP1 (FP:2014-03-24) 
4: x86-64 Microsoft Windows 7 SP1 (FP:2014-03-24) 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


3 


4 


11.0.06 


V 


V 


V 


V 


11.0.04 


V 


V 


V 


V 


11.0.03 


V 


V 


V 


V 



Asset Deliverables 



Documentation 


Asset Dossier including technical vulnerability and exploit documen- 
tation 


Exploits 


14-004-0 


Exploit / Proof-of-Concept Information 


Exploit ID 


14-004-0 


Supported Targets 


1: 11.0.06 on x86-32 Microsoft Windows 7 SP1 (FP:2014-03-24) 
2: 11.0.04 on x86-32 Microsoft Windows 7 SP1 (FP:2014-03-24) 
3: 11.0.03 on x86-32 Microsoft Windows 7 SP1 (FP:2014-03-24) 


Attack Vector 


Client-side Remote 


Exploitation Impact 


Code Execution 


Exploitation Context 


SYSTEM 


Windows Integrity Level 


High 


Exploitation Indicators 


Adobe Reader gracefully exits 


Prerequisites 


Sandbox must be disabled* 


Reliability Rating 


Target 1: Very High (99%) 


Exploit Failure Behavior 


Adobe Reader gracefully exits 


Exploit Features 


ASLR Bypass 

Table continued on next page... 
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- continued from previous page. 





Can be paired with 14-005 to achieve sandbox escape* 


Development Status 


Complete 


Deliverables 


Malicious PDF file 



* If the Adobe sandbox is enabled, this vulnerability can be coupled with a vulnerability providing sandbox 
escape like 14-005. An exploit employing both of these vulnerabilities is available as a deliverable if both 
assets are purchased. 



2.2 Flash Player 

"Adobe® Flash® Player[4] is a cross-platform browser-based application runtime that delivers uncom- 
promised viewing of expressive applications, content, and videos across screens and browsers. Flash Player 
10.1 is optimized for high performance on mobile screens and designed to take advantage of native device 
capabilities, enabling richer and more immersive user experiences." 

12-033 Adobe Flash Player Client-side Remote Code Execution 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 
Non-Exclusive Purchase 
Monthly License 


Listing Date 


2012.07.15 


Vulnerability Class 


Memory Corruption 


Affected Versions Tested 


11.3.300.265 
11.2.202.228 


Affected Versions Assumed 


Versions between 11.2.202.228 and 11.3.300.265 


Unaffected Versions 




Affected Platforms Tested 


1: Internet Explorer 9.0.8112 on x86-32 Microsoft Windows 7 SP1 
FP(2012.07.15) 

2: Mozilla Firefox 13.0.1 on x86-32 Microsoft Windows 7 SP1 
FP(2012.07.15) 

3: Google Chrome 20.0.1132.57 m on x86-32 Microsoft Windows 7 
SP1 FP(2012. 07.15) 

4: Internet Explorer 9.0.8112 on x86-64 Microsoft Windows 7 SP1 
FP(2012.07.15) 

5: Mozilla Firefox 13.0.1 on x86-64 Microsoft Windows 7 SP1 
FP(2012. 07.15) 

6: Google Chrome 20.0.1132.57 m on x86-64 Microsoft Windows 7 
SP1 FP(2012. 07.15) 

7: Internet Explorer 9.0.8112 on x86-64 Microsoft Windows Vista 
SP2 FP(2012. 07.15) 



Table continued on next page... 
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- continued from previous page. 
8: Mozilla Firefox 13.0.1 on x86-64 Microsoft Windows Vista SP2 
FP(2012.07.15) 

9: Google Chrome 20.0.1132.57 m on x86-64 Microsoft Windows 
Vista SP2 FP(2012.07.15) 

10: Internet Explorer 9.0.8112 on x86-32 Microsoft Windows Vista 
SP2 FP(2012.07.15) 

11: Mozilla Firefox 13.0.1 on x86-32 Microsoft Windows Vista SP2 
FP(2012.07.15) 

12: Google Chrome 20.0.1132.57 m on x86-32 Microsoft Windows 
Vista SP2 FP(2012.07.15) 

13: Internet Explorer 8.0.6001 on x86-32 Microsoft Windows XP 
SP3 FP(2012. 07.15) 

14: Mozilla Firefox 13.0.1 on x86-32 Microsoft Windows XP SP3 
FP(2012.07.15) 

15: Google Chrome 20.0.1132.57 m on x86-32 Microsoft Windows 
XP SP3 FP(2012.07.15) 



16: Mozilla Firefox 13.0.1 on x86-64 Ubuntu Linux 12.04 
FP(2012.07.15) 



Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


13 


14 


15 


16 


11.3.300.265 


V 


V 


V 


V 


V 


V 


V 


V 


V 


V 


V 


V 


V 


V 


V 


V 


11.2.202.228 


V 


V 


V 


V 


V 


V 


V 


V 


V 


V 


V 


V 


V 


V 


V 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


Internet Explorer 9.0.8112 on x86-32 Microsoft Windows 7 SP1 




FP(2012.07.15) 




Mozilla Firefox 13.0.1 on x86-32 Microsoft Windows 7 SP1 




FP(2012.07.15) 




Google Chrome 20.0.1132.57 m on x86-32 Microsoft Windows 7 SP1 




FP(2012.07.15) 




Internet Explorer 9.0.8112 on x86-64 Microsoft Windows 7 SP1 




FP(2012.07.15) 




Mozilla Firefox 13.0.1 on x86-64 Microsoft Windows 7 SP1 




FP(2012.07.15) 




Google Chrome 20.0.1132.57 m on x86-64 Microsoft Windows 7 SP1 




FP(2012.07.15) 




Internet Explorer 9.0.8112 on x86-64 Microsoft Windows Vista SP2 




FP(2012.07.15) 




Mozilla Firefox 13.0.1 on x86-64 Microsoft Windows Vista SP2 




FP(2012.07.15) 



Table continued on next page... 
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- continued from previous page. 





Google Chrome 20.0.1132.57 m on x86-64 Microsoft Windows Vista 




cpo FPC9D19 D7 1 R"\ 

Internet Explorer 9.0.8112 on x86-32 Microsoft Windows Vista SP2 




Mozilla Firefox 13.0.1 on x86-32 Microsoft Windows Vista SP2 




FP(2012.07.15) 

Google Chrome 20.0.1132.57 m on x86-32 Microsoft Windows Vista 




SP2 FP(2012.07.15) 

Internet Explorer 8.0.6001 on x86-32 Microsoft Windows XP SP3 




FP(2012. 07.15) 

Mozilla Firefox 13.0.1 on x86-32 Microsoft Windows XP SP3 




FP(2012. 07.15) 

Google Chrome 20.0.1132.57 m on x86-32 Microsoft Windows XP 




SP3 FP(2012.07.15) 


Attack Vector 


Client-side 


Exploitation Impact 


Code Execution 


Exploitation Context 


Sandboxed on Mozilla Firefox 13.0.1 on Windows 7 and Vista targets 
User on Internet Explorer and Windows XP targets 


Windows Integrity Level 


Low on Internet Explorer targets 

Low (sandboxed) on Mozilla Firefox targets 


Exploitation Indicators 


Target process crashes after successful exploitation* 


Prerequisites 




Reliability Rating 


High (90%) for Windows XP SP3 targets (DEP) 

Medium (50%) for Internet Explorer on Windows 7 SP1 and Vista 

SP2 targets (ASLR+DEP) 

Medium (50%) for Firefox on Windows 7 and Vista targets 
Medium (50%) for Chrome on Windows targets 


Development Status 


Active* 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


ASLR bypass via memory disclosure 
DEP handling via ROP 



* Ongoing development to improve reliability to 100%, provide a sandbox bypass for Firefox targets, and 
provide process continuation for the target browser processes. 



2.3 Photoshop CS6 

"Adobe Photoshop CS6[5] delivers magic that helps you bring your creative vision to life. Edit raw image 
files and other photos with state-of-the-art photo editing. Create compelling HDR images, black-and- 
whites, and panoramas. Retouch images with astonishing ease and control. Design anything you can 
imagineat amazing speed. Paint and draw naturally and expressively. Even put your ideas in motion by 
intuitively creating stunning videos. 

• Experience imaging magicCorrect, refine, and composite images with remarkable ease and control. 
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New Content-Aware features take image retouching to a new level. Get superior results when you 
crop, correct wide-angle lens curvatures, auto-correct, and more. 

• Maximize your creativityExperience creative breakthroughs with features that expand your visual 
language. Intuitively create videos within the familiar Photoshop environment. Work more fluidly 
with new and reengineered design tools. Create custom photographic blurs, and paint and draw 
more expressively. 

• Achieve peak performanceTake full advantage of your hardwares power and save significant time. 
Edit at blazingly fast speeds with the new Mercury Graphics Engine. Boost your productivity with 
new preset migration and sharing, new auto-recovery and background save options, and a modern 
user interface. 



13-011 Adobe Photoshop CS6 Client-side Remote Code Execution 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 
Non-Exclusive Purchase 
Monthly License 


Listing Date 


2013.06.22 


Expiration Date 




Vulnerability Information 


Target 


Adobe Photoshop CS6 


Vulnerability Class 


Memory Corruption 


Affected Versions Tested 


13.1.2 x64 
13.1.2 x32 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x64 Microsoft Windows 7 SP1 (FP:2013-06-22) 
2: x32 Microsoft Windows 7 SP1 (FP:2013-06-22) 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


13.1.2 x64 
13.1.2 x32 


V 
V 


V 
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Exploit / Proof-of-Concept Information 



Supported Targets 


13.1.2 x64 on x64 Microsoft Windows 7 
13.1.2 x32 on x64 Microsoft Windows 7 
13.1.2 x32 on x32 Microsoft Windows 7 


Attack Vector 


Client-side File Format 


Exploitation Impact 


Code Execution 


Exploitation Context 


User 


Windows Integrity Level 


Medium 


Exploitation Indicators 




Prerequisites 


Network connectivity* 


Reliability Rating 


Very High (99%)** 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


ASLR handled 
DEP bypassed 
Process continuation 



* Exploitation makes use of a two-stage payload. The second stage is downloaded from an attacker- 
controlled webdav server. 

** Each target was tested 30 times, with 1 failure out of all 90. 
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Chapter 3 



Apple, Inc. 



"Apple[6] ignited the personal computer revolution in the 1970s with the Apple II and reinvented the 
personal computer in the 1980s with the Macintosh. Apple is committed to bringing the best personal 
computing experience to students, educators, creative professionals and consumers around the world 
through its innovative hardware, software and Internet offerings." 



3.1 Mac OS X 

"Built on a rock-solid UNIX foundation, OS X[7] is engineered to take full advantage of the technologies 
in every new Mac. And to deliver the most intuitive and integrated computer experience." 

14-010 Apple Mac OS X Local Privileged Command Execution 



Sale Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 




Non-Exclusive Purchase 




Monthly License 


Listing Date 


2014-10-06 


Expiration Date 




Vulnerability Information 


Target 


Apple Mac OS X 


Target Bundles 




Vulnerability Class 


Logic Flaw 


Affected Versions Tested 


10.9.5 (FP:2014-10-05) 




10.9.4 



Table continued on next page... 
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10.7.5 (FP:2014-10-05) 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-64 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


10.9.5 


V 


10.9.4 


V 


10.7.5 


V 



Asset Deliverables 



Documentation 


14-010-0 - Asset Dossier including technical vulnerability and exploit 
documentation 


Exploits 


14-010-1 - Exploit executable 


Source Code 


14-010-2 - Exploit source code for 14-010-1 


Exploit / Proof-of-Concept Information 


Exploit ID 


14-010-1 


Supported Targets 


1: 10.9.5 on x86-64 
2: 10.9.4 on x86-64 
3: 10.7.5 on x86-64 


Attack Vector 


Local 


Exploitation Impact 


Privilege Escalation 
Command Execution 


Exploitation Context 


root 


Exploitation Indicators 




Prerequisites 




Reliability Rating 


All Targets: Completely (100%) 


Exploit Failure Behavior 


n/a 


Exploit Features 




Development Status 


Complete 


Deliverables 


Exploit* 



* A Metasploit Exploit Module could be developed upon request. 
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Chapter 4 



ASUS 



"ASUS[8] takes its name from Pegasus, the winged horse in Greek mythology that symbolises wisdom 
and knowledge. ASUS embodies the strength, purity, and adventurous spirit of this fantastic creature, 
and soars to new heights with each new product it creates. 

The Taiwanese information technology industry has grown enormously over the last few decades and the 
country is now a dominant player in the global market. ASUS has long been at the forefront of this 
growth and although the company started life as a humble motherboard manufacturer with a handful of 
employees, it is now the leading technology company in Taiwan and employs over 11,000 people around 
the world. ASUS makes products in almost every conceivable category of information technology too, 
including PC components and peripherals, notebooks, tablets, servers and smartphones. 

Innovation is key to the success of ASUS. Having unveiled the PadFone to a rapturous audience at 
Computex 2011, this year ASUS chairman Jonney Shih raised the bar once more with the announcement 
of the TAICHI and Transformer Book dual-purpose mobile devices. 

The ASUS TAICHI is an Ultrabook with a double-sided display that allows it to be used as a tablet when 
the lid is closed, while the Transformer Book is a tablet that can be docked to a keyboard for instant 
transformation into an Ultrabook. 

Together with the Tablet 810 with Windows 8 and Tablet 600 with Windows RT, ASUS has an array of 
products that will surpass its users imaginations as the world enters a new era of cloud computing. 

This visionary approach is why ASUS is a major proponent in bringing quality innovation and design 
into its users lives. ASUS products won 3,886 international awards and accolades in 2011, and company 
revenue was over US$11.9 billion." 



4.1 BIOS Device Driver 

"The device driver for ASUS motherboard BIOS chips." 
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13-015 ASUS BIOS Device Driver Local Privilege Escalation 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 




Non-Exclusive Purchase 




Monthly License 


Listing Date 


2013.08.12 


Expiration Date 




Vulnerability Information 


Target 


ASUS BIOS Device Driver 


Vulnerability Class 


Design or Logic Flaw 


Affected Versions Tested 


V71803 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x64 Microsoft Windows 7 SP1 


Affected Platforms Assumed 


All Windows supported by driver 


Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


V71803 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


V71803 on x64 Microsoft Windows 7 SP1 


Attack Vector 


Local 


Exploitation Impact 


Unsigned Code Execution 


Exploitation Context 


Kernel 


Windows Integrity Level 


n/a 


Exploitation Indicators 


Log entries indicating driver load and unload 


Prerequisites 


Administrator* 


Reliability Rating 


Completely (100%) 


Development Status 


Active 


Development Phase 


Proof-of-Concept allowing arbitrary code execution 


Development Goal 


Custom Exploit** 


Exploit Features 


Evades Signed driver check 
Bypasees KASLR 
Evades DEP 
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* Administrator access to the system is required as the vulnerable driver, which is delivered by the exploit, 
must be loaded prior to exploitation. 

** Exploit payload and impact can be customized upon request. 
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Chapter 5 



AVAST Software a.s. 



"AVASTs[9] roots go back to 1988, when Czech researchers Eduard Kuera and Pavel Baudi encountered 
the Vienna Virus and began their quest to save the worlds computers from it and others like it. 

Today, AVAST has over professionals headquartered in Prague, Czech Republic, additional offices in 
Austria, Germany, and the USA, distribution partners in all markets, and a global community of avast! 
enthusiasts." 



5.1 avast! Ant i- Virus 

"avast! [10] is, both freeware and commercial, an antivirus computer program with user interface that 
includes 41 languages, available for Microsoft Windows, Mac OS X and Linux platforms. The name 
Avast is an acronym of 'Anti-Virus Advanced Set'. 

avast! has been awarded the VB100 Award by Virus Bulletin multiple times for 100% detection of "in- 
the-wild" viruses and also won the Secure Computing Readers' Trust Award. The central scanning engine 
has been certified by ICSA Labs and West Coast Labs' Checkmark process." 

13-005 avast! Local Information Disclosure 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 




Non-Exclusive Purchase 




Monthly License 


Listing Date 


2013.04.26 


Expiration Date 





Vulnerability Information 
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Target 


avast! Anti-Virus 


Vulnerability Class 


Information Disclosure 


Affected Versions Tested 


8.0.1485 
8.0.1484 
8.0.1483 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 Microsoft Windows 7 SP1 FP(2013. 04.26) 
2: x86-32 Microsoft Windows XP SP3 FP(2013.04.26) 


Affected Platforms Assumed 


All Microsoft Windows 7 
All Microsoft Windows XP 


Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


8.0.1485 


V 


V 


8.0.1484 




V 


8.0.1483 




V 



Exploit / Proof-of-Concept Information 



Supported Targets 


8.0.1485 on x86-32 Microsoft Windows 7 SP1 
8.0.1485 on x86-32 Microsoft Windows XP SP3 
8.0.1484 on x86-32 Microsoft Windows XP SP3 
8.0.1483 on x86-32 Microsoft Windows XP SP3 


Attack Vector 


Local 


Exploitation Impact 


Information Disclosure: Kernel Memory 


Exploitation Context 


User 


Windows Integrity Level 


Current 


Exploitation Indicators 


Leaked memory data is written to file (erased upon reboot) 
Access Violation system crash if invalid address is targetted for dis- 
closure 

If the avast! AutoSandbox is enabled, each executable will be ana- 
lyzed and an alert window is shown to the user however the exploit 
still succeeds. 


Prerequisites 




Reliability Rating 


Completely (100%) 


Development Status 


Active 


Development Phase 


Exploit 


Development Goal 


Metasploit Exploit with post-exploitation cleanup 


Exploit Features 


Process continuation 
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13-010 avast! Anti- Virus Local Privilege Escalation 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 




Non-Exclusive Purchase 




Monthly License 


Listing Date 


2013-06-03 


Expiration Date 




Vulnerability Information 


Target 


avast! Anti-Virus 


Vulnerability Class 


Race Condition 




Memory Corruption 


Affected Versions Tested 


Free 8.0.1489 




Free 8.0.1488 




Free 8.0.1487 




Free 8.0.1486 




Free 8.0.1485 




Free 8.0.1484 




Free 8.0.1483 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 Microsoft Windows 7 SP1 (FP:2013-06-05) English 




2: x86-32 Microsoft Windows XP SP3 Spanish 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


Free 8.0.1489 


V 


V 


Free 8.0.1488 


V 


V 


Free 8.0.1487 


V 


V 


Free 8.0.1486 


V 


V 


Free 8.0.1485 


V 


V 


Free 8.0.1484 


V 


V 


Free 8.0.1483 


V 


V 



Exploit / Proof-of-Concept Information 
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Supported Targets 


Free 8.0.1489 on x86-32 Microsoft Windows 7 SP1 (FP:2013-06-05) 
English 

Free 8.0.1489 on x86-32 Microsoft Windows XP SP3 Spanish 
Free 8.0.1488 on x86-32 Microsoft Windows 7 SP1 (FP:2013-06-05) 
English 




Free 8.0.1488 on x86-32 Microsoft Windows XP SP3 Spanish 


Attack Vector 


Local 


Exploitation Impact 


Code Execution 


Exploitation Context 


SYSTEM 


Windows Integrity Level 


High 


Exploitation Indicators 


Data remains in configuration file which is erased upon reboot. 
If the avast! AutoSandbox is enabled, each executable will be ana- 
lyzed and an alert window is shown to the user however the exploit 
still succeeds. 


Prerequisites 




Reliability Rating 


High (95%) 


Development Status 


Active 


Development Phase 


Exploit for Windows XP SP3 


Development Goal 


Professional Exploit for Multiple Windows platforms including Win- 
dows 7 


Exploit Features 


Process continuation 
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Chapter 6 



Barracuda Networks, Inc. 



"Barracuda Networks, Inc. [11] offers industry-leading solutions designed to solve mainstream IT problems 
efficiently and cost effectively while maintaining a level of customer support and satisfaction second to 
none. Our products span three distinct markets, including: 1) content security, 2) networking and 
application delivery, as well as 3) data storage, protection and disaster recovery. 

While we maintain a strong heritage in email and web security appliances, our award-winning portfolio 
includes more than a dozen purpose-built solutions that support literally every aspect of the network 
providing organizations of all sizes with true end-to-end protection that can be deployed in hardware, 
virtual, cloud and mixed form factors. 

CitiBank, Coca-Cola, Delta Dental, FedEx, Harvard University, IBM, L'Oreal, Liberty Tax Service, Myth- 
busters and Spokane Public Schools are amongst the more than 150,000 organizations worldwide con- 
fidently protecting their users, applications and data with Barracuda Networks solutions. The company 
is privately held with its international headquarters and manufacturing facility based in Campbell, Cali- 
fornia. Barracuda Networks has offices in eight international locations and distributors in more than 80 
countries worldwide." 



6.1 Web Filter 

"The Barracuda Web Filter[12] is an integrated content filtering, application blocking and malware 
protection solution that is powerful, easy to use and affordable for businesses of all sizes. It enforces 
Internet usage policies by blocking access to Web sites and Internet applications that are not related 
to business, and it easily and completely eliminates spyware and other forms of malware from your 
organization. No more costly staff time lost repairing infected computers." 

13-000 Barracuda Web Filter Remote Privileged Code Execution 

Asset Information 

Table continued on next page... 
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Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 




Non-Exclusive Purchase 




Monthly License 


Listing Date 


2012.01.07 


Expiration Date 




Vulnerability Information 


Ta rget 


Barracuda Web Filter Firmware 


\ / 1 |_ " 1 " i /"* 1 

Vulnerability Class 


Input Validation 


Arc j 1 \ / "T" ■ 1 

Affected Versions Tested 


5.1.1.004 




5.1.0.013 




5.0.0.016 




r a n rn /i 

5.0.0.014 




5.0.0.012 




5.0.0.011 




5.0.0.010 




r~ ft. ft. ft ft zr 

5.0.0.006 




r~ a r\ r\r\ a 

5.0.0.004 




5.0.0.003 




r A ft r\AO 

5.0.0.002 




/l r ft ft ft -1 

4.5.0.001 




/i /i ft ft -i r - 

4.4.0.015 




A A ft ft "1 ft 

4.4.0.012 




4.4.0.011 




4.4.0.010 




4.4.0.006 




4.4.0.004 




4.4.0.003 




4.4.0.002 




4.3.0.015 




4.3.0.014 




4.3.0.013 




4.3.0.011 




4.3.0.010 




4.3.0.009 




4.3.0.008 




4.2.0.014 




4.2.0.013 




4.2.0.011 




4.2.0.007 




4.2.0.006 




4.2.0.005 




4.1.0.015 




4.1.0.011 
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4.1.0.007 




4.1.0.006 




4.1.0.005 




3.0.1.18 


Affected Versions Assumed 


5.x* 




4.x* 




3.x* 


Unafferted Versions 


6 0 0 013 




6.0.0.012 




6 0 0 011 




6.0.0.010 


Affected Platforms Tested 


1: Web Filter 210 




2: Web Filter 310 




3: Web Filter 410 




4: Web Filter 610 




5: Web Filter 810 




6: Web Filter 1010 




7: Web Filter 310 Vx 


Affected Platforms Assumed 


Web Filter 410 Vx 




Web Filter 610 Vx 


Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


3 


4 


5 


6 


7 


5.1.1.004 








V 


V 






5.1.0.013 




V 












5.0.0.016 














V 


4.5.0.001 




V 












4.4.0.012 




V 










V 


3.0.1.018 




V 













Exploit / Proof-of-Concept Information 



Supported Targets 


5.1.1.004 on Web Filter 810 




5.1.1.004 on Web Filter 610 




5.1.0.013 on Web Filter 310 




4.5.0.001 on Web Filter 310 




4.4.0.012 on Web Filter 310 




3.0.1.018 on Web Filter 310 


Attack Vector 


Remote 


Exploitation Impact 


Code Execution 




Command Execution 




Proxy Zone Bypass 
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Exploitation Context 


root 


Exploitation Indicators 


Web server log entries 


Prerequisites 


Network connectivity to proxy port (default 8080) or Web Admin 
port (default 8000, sometimes 80 or 443) on the target 


Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


2 Professional Metasploit Exploits 


Development Goal 


2 Professional Metasploit Exploits 


Exploit Features 


Post-exploitation cleanup 
IDS/IPS evasion 

Combined/minimal protocol requests 

Multiple Payloads: remote shell, command execution 

Optional Actions: retrieve admin password, file upload 



* The vulnerability is located in code that is universal and identical in all 3.x, 4.x, and 5.x firmware. 



13-002 Barracuda Web Filter Remote Privileged Code Execution 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 




Non-Exclusive Purchase 




Monthly License 


Listing Date 


2012.02.22 


Expiration Date 




Vulnerability Information 


Target 


Barracuda Web Filter Firmware 


Vulnerability Class 


Input Validation 


Affected Versions Tested 


5.1.1.004 




5.1.0.013 




5.0.0.016 




5.0.0.014 




5.0.0.012 




5.0.0.011 




5.0.0.010 




5.0.0.006 




5.0.0.004 




5.0.0.003 




5.0.0.002 




4.5.0.001 
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4 4 n m s 




4.4.0.012 




4.4.0.011 




4.4.0.010 




4 4 fl DflfS 




4 4 fl Dfl4 




4 4 0 003 




4 4 0 on? 




4 3 0 01 S 

*T. O . U . U ± -J 




4 3 0 014 




4 3 0 01 3 




4 3 0 01 1 




4 3 0 010 

*T. o .u . 




4 3 0 00Q 




4 3 0 008 

*T. O . U . UvU 




4 2.0.014 




4 9 0 01 3 

*T. £. . U . U-LO 




4.2.0.011 




4.2.0.007 




4 2 0 006 




4.2.0.005 




4.1.0.015 




4.1.0.011 




4.1.0.007 




4.1.0.006 




4.1.0.005 




3.0.1.18 


Affected Versions Assumed 


5.x* 




4.x* 




3.x* 


Unaffected Ver^ion^ 

W II a 1 1 L^.U V LI JlUI 1 J 


6 0 0 013 




6.0.0.012 




6.0.0.011 




6.0.0.010 


Affected Platforms Tested 


1: Web Filter 210 




2: Web Filter 310 




3: Web Filter 410 




4: Web Filter 610 




5: Web Filter 810 




6: Web Filter 1010 




7: Web Filter 310 Vx 


Affected Platforms Assumed 


Web Filter 410 Vx 




Web Filter 610 Vx 


Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 
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1 


2 


3 


4 


5 


6 


7 


5.1.1.004 








V 


V 






5.1.0.013 




V 












5.0.0.016 














V 


4.5.0.001 




V 












4.4.0.012 




V 










V 


3.0.1.018 




V 













Exploit / Proof-of-Concept Information 



Supported Targets 


5.1.1.004 on Web Filter 810 
5.1.1.004 on Web Filter 610 
5.1.0.013 on Web Filter 310 
5.0.0.016 on Web Filter 310 Vx 
4.5.0.001 on Web Filter 310 
4.4.0.012 on Web Filter 310 
4.4.0.012 on Web Filter 310 Vx 
3.0.1.018 on Web Filter 310 


Attack Vector 


Post-Auth Remote 


Exploitation Impact 


Code Execution 
Command Execution 
Proxy Zone Bypass 


Exploitation Context 


root 


Exploitation Indicators 


Web server log entries 


Prerequisites 


Network connectivity to proxy port (default 8080) or Web Admin 
port (default 8000, sometimes 80 or 443) on the target 
Successful Authentication 


Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


2 Professional Metasploit Exploits 


Development Goal 


2 Professional Metasploit Exploits 


Exploit Features 


Post-exploitation cleanup 
IDS/IPS evasion 

Combined/minimal protocol requests 

Multiple Payloads: remote shell, command execution 

Optional Actions: retrieve admin password, file upload 



* The vulnerability is located in code that is universal and identical in all 3.x, 4.x, and 5.x firmware. 
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Chapter 7 



Dell, Inc. 



"For more than 28 years, Dell[13] has empowered countries, communities, customers and people every- 
where to use technology to realize their dreams. Customers trust us to deliver technology solutions that 
help them do and achieve more, whether they're at home, work, school or anywhere in their world." 



7.1 Sonic WALL 

"Dell SonicWALL[14] solutions are available for small and mid-sized business customers through large 
enterprise customers. They are deployed in large campus environments, distributed enterprise settings, 
government, retail point-of-sale and healthcare segments. Due to the constantly evolving landscape of 
threats, organizations need to deploy more comprehensive, dynamic security solutions. Dell SonicWALLs 
dynamic network security and data protection enable Dell to offer comprehensive Next-Generation Firewall 
and Unified Threat Management solutions. In addition, Dell SonicWALL also provides Secure Remote 
Access, Email Security, Backup and Recovery, and Management and Reporting to organizations of all 
sizes. Its Global Management System allows network administrators to centrally manage and provision 
thousands of security appliances across a widely distributed network." 

12-031 Dell SonicWALL Multiple Products Remote Command Execution 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 




Non-Exclusive Purchase 




Monthly License 


Listing Date 


2012.07.04 


Expiration Date 




Vulnerability Class 


Logic Flaw 


Affected Versions Tested 


Analyzer 7.0 




GMS 6.0.2 SP2* 
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GMS 6.0 SP2* 




GMS 6.0* 




GMS 5.1.1* 




ViewPoint 6.0.2 SP2* 




ViewPoint 6.0 SP2* 




ViewPoint 6.0* 




ViewPoint 5.1.1* 


Affected Versions Assumed 


GMS 6.0 SP1* 
ViewPoint 6.0 SP1* 


Unaffected Versions 




Affected Platforms Tested 


1: x86-64 Microsoft Windows 2008 R2 FP(2012.06.25) 
2: Vendor-provided Virtual Appliance 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


Analyzer 7.0 




V 


GMS 6.0.2 SP2 


V 


V 


GMS 6.0.2 


V 


V 


GMS 6.0 SP2 


V 


V 


GMS 6.0 


V 


V 


GMS 5.1.1 


V 




ViewPoint 6.0.2 SP2 


V 


V 


ViewPoint 6.0.2 


V 


V 


ViewPoint 6.0 SP2 


V 


V 


ViewPoint 6.0 


V 


V 


ViewPoint 5.1.1 


V 





Exploit / Proof-of-Concept Information 



Supported Targets 


Analyzer 7.0 on Virtual Appliance 
GMS 6.x on Virtual Appliance 

ViewPoint 6.x on x86-64 Microsoft Windows 2008 R2 
FP(2012.06.25) 

ViewPoint 6.x on Virtual Appliance 


Attack Vector 


Remote Post-auth 


Exploitation Impact 


Command Execution 


Exploitation Context 


Webinterface Administrator 


Windows Integrity Level 


None 


Exploitation Indicators 


Single log entry indicating that the admin user could not be authen- 
ticated. 


Prerequisites 


The web interface must be acceesible to the attacker. 
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Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Instructional** 


Development Goal 


Instructional** 


Exploit Features 





* Hotfixes 90982, 104767, and 108886 can be applied to all versions noted, however none of these affect 
the vulnerability. 

** No exploit is required; the vulnerability can be leveraged using any standard web browser. 
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Chapter 8 



Fulvio Ricciardi 



"Fulvio Ricciardi [15] is the author of ZeroShell, a a Linux distribution for servers and embedded devices 
aimed at providing the main network services a LAN requires." 



8.1 ZeroShell 

"Zeroshell[16] is a Linux distribution for servers and embedded devices aimed at providing the main 
network services a LAN requires. It is available in the form of Live CD or Compact Flash image and you 
can configure and administer it using your web browser." 

13-014 ZeroShell Remote Privileged Command Execution 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 




Non-Exclusive Purchase 




Monthly License 


Listing Date 


2013-07-22 


Expiration Date 




Vulnerability Information 


Target 


ZeroShell 


Vulnerability Class 


Logic Flaw 


Affected Versions Tested 


2.0. RC2* 


Affected Versions Assumed 


All 


Unaffected Versions 




Affected Platforms Tested 


1: ZeroShell Linux Kernel 3.4.19-ZS 
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Affected Platforms Assumed 


All 


Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2.0.RC2 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


ZeroShell 2.0. RC2 


Attack Vector 


Remote 


Exploitation Impact 


Command Execution 


Exploitation Context 


root 


Exploitation Indicators 




Prerequisites 


Network connectivity to the target 


Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 





* Tested against Zeroshell VM (ZeroShell-2.0.RC2.iso) as provided by the vendor. 
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Chapter 9 



Google 



"Googles[17] mission: Organize the worlds information and make it universally accessible and useful. 

Beginning in 1996, Stanford University graduate students Larry Page and Sergey Brin built a search 
engine called BackRub that used links to determine the importance of individual web pages. By 1998 
they had formalized their work, creating the company you know today as Google. 

Since then, Google has grown by leaps and bounds. From offering search in a single language we now 
offer dozens of products and servicesincluding various forms of advertising and web applications for all 
kinds of tasksin scores of languages. And starting from two computer science students in a university 
dorm room, we now have thousands of employees and offices around the world. 



9.1 Android 

"Android[18] is an open-source software stack for a wide range of mobile devices and a corresponding 
open-source project led by Google. Here you can find the information and source code you need to learn 
more about the Android platform. From there you can create custom variants of the Android software 
stack, port devices and accessories to the Android platform, and ensure your devices are compatible with 
the Android compatibility definition." 

13-022 Google Android Local Application Permissions Evasion 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 




Non-Exclusive Purchase 




Monthly License 


Listing Date 


2013-10-28 


Expiration Date 
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Vulnerability Information 



Target 


Google Android 


Vulnerability Class 


Design Flaw 


Affected Versions Tested 


2.3.7 




2.3.6 




2.2.2 




2.2.1 


Affected Versions Assumed 


2.x 




1.6.x 




1.5.x 


Unaffected Versions 


4.x 




3.x 


Affected Platforms Tested 


1: Android SDK Emulator 22.0.1.0 




2: Samsung Galaxy Y (GT-S5360) 




3: HTC Tatoo 




4: HTC Magic 


Affected Platforms Assumed 




Unaffected Platforms 


Nexus 4 


Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


3 


4 


4.3 


N 








3.0 


N 


N 


N 


N 


2.3.7 


V 




V 




2.3.6 


V 


V 






2.2.2 


V 








2.2.1 


V 






V 



Exploit / Proof-of-Concept Information 



Supported Targets 


1: 2.3.7 on Android SDK Emulator 22.0.1.0 
2: 2.3.7 on HTC Tatoo 
3: 2.3.6 on Android SDK Emulator 22.0.1.0 
4: 2.3.6 on Samsung Galaxy Y (GT-S5360) 
5: 2.2.2 on Android SDK Emulator 22.0.1.0 
6: 2.2.1 on Android SDK Emulator 22.0.1.0 
7: 2.2.1 on HTC Magic 


Attack Vector 


Local 


Exploitation Impact 


App Controls/Permissions Bypass* 


Exploitation Context 


User 


Exploitation Indicators 


Call in progress can be noticed 
Outgoing call log registers calls 

USSD/SS command results can be seen in a message 
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Prerequisites 


Code execution 


Reliability Rating 


All Targets: Completely (100%) 


Exploit Failure Behavior 




Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


Place call in background 



* App Controls/Permissions bypass allows unauthorized access to perform outgoing calls as well as USSD 
and SS commands. Manufacturer defined MMI or SIM control codes will not work. 
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Chapter 10 



Juniper Networks 



"At Juniper Networks[19], we are leading the charge to architecting the new network. At the heart of the 
new network is our promise to transform the economics and experience of networking for our customers. 
We offer a high-performance network infrastructure built on simplicity, security, openness, and scale. We 
are innovating in ways that empower our customers, our partners, and ultimately everyone in a connected 
world. 

Our products and technologies run the worlds largest and most demanding networks today, enabling 
our customers to create value and accelerate business success within the new, rapidly changing global 
marketplace. Our customers include the top 130 global service providers, the Fortune Global 100, as 
well as hundreds of federal, state and local government agencies and higher education organizations 
throughout the world. 

As a pure play, high-performance networking company, we offer a broad product portfolio that spans rout- 
ing, switching, security, application acceleration, identity policy and control, and management designed 
to provide unmatched performance, greater choice, and true flexibility, while reducing overall total cost 
of ownership. In addition, through strong industry partnerships, Juniper Networks is fostering a broad 
ecosystem of innovation across the network." 



10.1 Network Connect Server 

"Network Connect Server is the Linux daemon software providing SSL VPN client connection services for 
connecting to Juniper's SA Series[20] devices." 

12-034 Juniper Network Connect Server Local Privilege Escalation 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 
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Non-Exclusive Purchase 
Monthly License 


Listing Date 


2012.07.14 


Vulnerability Class 


Logic Flaw 


Affected Versions Tested 


7.2-0-Build20761 
7.0-0-Buildl6899 
7.0-0-Buildl6499 


Affected Versions Assumed 


7.1 


Unaffected Versions 




Affected Platforms Tested 


1: x86-32 Debian Linux 6.0.5 
2: x86-32 Debian Linux unstable(2012.07.14) 
3: x86-64 Debian Linux unstable(2012.07.14) 
4: x86-64 CentOS 6.2 


Affected Platforms Assumed 


All Linux* 


Unaffected Platforms 


Mac OS X 
Microsoft Windows 


Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


3 


4 


7.2-0-Build20761 


V 


V 


V 


V 


7.0-0-Buildl6899 


V 


V 


V 


V 


7.0-0-Buildl6499 


V 


V 


V 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 



Attack Vector 



7.2-0- 

7.2-0- 

7.2-0 

7.2-0- 

7.0-0 

7.0-0 

7.0-0 

7.0-0 

7.0-0 

7.0-0 

7.0-0- 

7.0-0- 

Local 



Build20761 
Build20761 
Build20761 
Build20761 
Buildl6899 
Buildl6899 
Buildl6899 
Buildl6899 
Buildl6499 
Buildl6499 
Buildl6499 
Buildl6499 



on x86-32 
on x86-32 
on x86-64 
on x86-64 
on x86-32 
on x86-32 
on x86-64 
on x86-64 
on x86-32 
on x86-32 
on x86-64 
on x86-64 



Debian Linux 
Debian Linux 
Debian Linux 
CentOS 6.2 
Debian Linux 
Debian Linux 
Debian Linux 
CentOS 6.2 
Debian Linux 
Debian Linux 
Debian Linux 
CentOS 6.2 



6.0.5 

unstable(2012.07.14) 
unstable(2012.07.14) 

6.0.5 

unstable(2012.07.14) 
unstable(2012.07.14) 

6.0.5 

unstable(2012.07.14) 
unstable(2012.07.14) 



Exploitation Impact 



Command Execution 



Exploitation Context 



root 



Client log entries 

User privileges on the target 



Exploitation Indicators 



Prerequisites 



system 
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Target system must have target software "Juniper Network Connect" 




installed 


Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


Cross-platform (Linux) without modification* 



* Due to the vulnerability being a logic flaw, underlying Linux distribution and architecture is irrelevant 
to triggering the vulnerability and exploitation. 
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Chapter 11 



Kingsoft Office Software 



"Kingsoft 0ffice[21] is a software development company headquartered in Hong Kong, which focus on 
office software containing the three essential office applications: Kingsoft Writer, Kingsoft Presentation 
and Kingsoft Spreadsheets. Established in 1989, Kingsoft Office has devoted over two decades to the 
development of user-friendly office software. It has maintained a similar user interface to Microsoft Office 
meaning that new users require no retraining, and there is a high degree of compatibility between the 
two products. 

The composition of our team is diverse and complete. Kingsoft Office's team is integrally formed by 
industry experts from various industries. This wide range of experience has been drawn upon to create 
a fully fledged, robust office suite. 

Kingsoft Office is one of the earliest companies to engage in the research and development of word 
processors and other office applications, and was the market leader in the late 1980's and early 1990's. 
Today Kingsoft Office is viewed as an inexpensive alternative to Microsoft Office. And it has made 
relationship with Dell and collaborations with Intel and IBM, and will continue to do so in the future, in 
order to consistently provide innovative, high quality products and services. 

Kingsoft Office Corporation future will be aimed at breaking into all over the world, now it has published 
four sets of office suite: Kingsoft Office Professional, Kingsoft Office Standard, Kingsoft Office Free and 
Kingsoft Office Student and Home. These four versions almost cover all target clients that could meet 
various requirements including professional and business, home and students, and common daily needs. 
Of course, it will make a sustained effort to develop more brilliant office software to attract much wider 
users. 

Kingsoft Office is committed to offering best quality and user-friendly office software to further expand 
to international markets and become a first class office software developer." 



11.1 Kingsoft Office 

"As an office suite of desktop applications, Kingsoft Office[22] consists of a word processorWriter, a 
spreadsheet programSpreadsheets and a presentation programPresentation. Compared with other office 
suites, Kingsoft Office is regarded as one of the best office applications with user-friendly interfaces and 
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excellent performance. 

In addition to innovative features in the last version such as a built-in PDF creator, the latest version 
has added various new features, allowing you to switch between the 2013 and classical interfaces, adjust 
your paragraph formatting and table dimensions with drag and drop, save files as more formats (such as 
.docx, .docm, .xlsx and .xlsm) and insert a movie or background sound into a PPT slide. Kingsoft Office 
Suite Professional 2013 will not only enable you to fulfill data analyzing needs in business, but to turn 
your innovative ideas into illustrative documents or presentations." 

13-016 Kingsoft Office Client-side Remote Code Execution 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 
Non-Exclusive Purchase 
Monthly License 


Listing Date 


2013-08-26 


Expiration Date 




Vulnerability Information 


Target 


Kingsoft Office 2012 


Vulnerability Class 


Memory Corruption 


Affected Versions Tested 


8.1.0.3387 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x64 Microsoft Windows 7 
2: x32 Microsoft Windows 7 
3: x64 Microsoft Windows XP 
4: x32 Microsoft Windows XP 


Affected Platforms Assumed 


Microsoft Vista 


Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


3 


4 


8.1.0.3387 


V 


V 


V 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


8.1.0.3387 on Microsoft Windows 7 
8.1.0.3387 on Microsoft Windows XP 


Attack Vector 


Client-side Remote 
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Exploitation Impact 


Code Execution 


Exploitation Context 


User 


Windows Integrity Level 


Medium 


Exploitation Indicators 


Process crash 


Prerequisites 




Reliability Rating 


Completely (100%) 


Development Status 


Complete* 


Development Phase 


Exploit 


Development Goal 


Professional Exploit 


Exploit Features 


ASLR handled 



* Professional exploit(s) can be developed upon request. 
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Chapter 12 



Korea Computer Center 



"The Korea Computer Center (KCC)[23] is the leading North Korean government information technology 
research center. It was founded on October 24, 1990. 

KCC operates eight development and production centers, and 11 regional information centers. It runs 
the KCC Information Technology College and its Information Technology Institute. The KCC has branch 
offices in China, Germany, Syria and the United Arab Emirates. It has an interest in Linux research, and 
started the development of the Red Star OS distribution localised for North Korea. 

While KCCs main focus is on North Korean work, as of 2011 it also works for clients in Europe, China, 
South Korea, Japan and the Middle East." 



12.1 Red Star OS 

"Red Star OS[24] is a North Korean Linux-based operating system. Development started in 2002 at 
the Korea Computer Center. Prior to its development, computers in North Korea typically used English 
versions of Microsoft Windows. As of 2010, it is on version 2.0. It is only offered in a Korean language 
edition, localised with North Korean terminology and spelling." 

12-008 Red Star OS Sat Privileged Remote and Client-Side Command 
Execution 



Vulnerability Information 



Asset Type 


Internal 


Vulnerability Class 


Input Validation 


Affected Versions Tested 


2.0 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 Red Star OS 2.0 
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Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2.0 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


Sat 2.0 on x86-32 Red Star OS 2.0 


Attack Vector 


Remote 

Client-Side via CSRF 


Exploitation Impact 


Command Execution 


Exploitation Context 


root 


Exploitation Indicators 


Log entries* 


Prerequisites 


Successful Authentication or Established Session 


Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Metasploit Exploit 


Development Goal 


Metasploit Exploit 


Exploit Features 


HTTP request attack vector 
CSRF capable 

Trigger and payload is embeddable within HTML 



* Log entries in some cases based on attack vector. 



12-011 Red Star OS Local Privilege Escalation 



Vulnerability Information 



Asset Type 


Internal 


Vulnerability Class 


Misconfiguration 


Affected Versions Tested 


2.0 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 
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1 


2.0 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


x86-32 Red Star OS 2.0 


Attack Vector 


Local (Passive) 


Exploitation Impact 


Privilege Escalation 


Exploitation Context 


root 


Exploitation Indicators 


none 


Prerequisites 


Local Command Execution 


Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


Replacement of system command 


12-012 Red Star OS Local Privilege Escalation 




Vulnerability Information 


Asset Type 


Internal 


Vulnerability Class 


Misconfigu ration 


Affected Versions Tested 


2.0 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2.0 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


x86-32 Red Star OS 2.0 


Attack Vector 


Local 


Exploitation Impact 


Privilege Escalation 


Exploitation Context 


root 


Exploitation Indicators 


System Reboot* 


Prerequisites 


Local Command Execution 
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Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


Replacement of critical library 



* An attacker initiated system reboot is required in the case of active exploitation; however it is possible 
for unprivileged users to reboot the system by default. Passive exploitation may also be employed which 
does not require a system reboot. 

12-013 Red Star OS Local Privilege Escalation 



Vulnerability Information 



Asset Type 


Internal 


Vulnerability Class 


Misconfigu ration 


Affected Versions Tested 


2.0 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2.0 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


x86-32 Red Star OS 2.0 


Attack Vector 


Local (Passive) 


Exploitation Impact 


Privilege Escalation (Code Execution) 


Exploitation Context 


root 


Exploitation Indicators 


none 


Prerequisites 


Local Command Execution 


Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


Replacement of critical application library 
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12-014 Red Star OS Local Privilege Escalation 



Vulnerability Information 



Asset Type 


Internal 


Vulnerability Class 


Misconfigu ration 


Affected Versions Tested 


2.0 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2.0 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


x86-32 Red Star OS 2.0 


Attack Vector 


Local 


Exploitation Impact 


Privilege Escalation (Code Execution) 


Exploitation Context 


root 


Exploitation Indicators 


System Reboot* 


Prerequisites 


Local Command Execution 




Ability to reboot system* 


Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


Replacement of critical system commands 



* An attacker initiated system reboot is required in the case of active exploitation; however it is possible 
for unprivileged users to reboot the system by default. Passive exploitation may also be employed which 
will trigger the payload upon the next and subsequent regularly-scheduled system reboots. 

12-015 Red Star OS Local Privilege Escalation 



Vulnerability Information 



Asset Type 


Internal 


Vulnerability Class 


Misconfigu ration 
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Affected Versions Tested 


2.0 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2.0 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


x86-32 Red Star OS 2.0 


Attack Vector 


Local (Passive) 


Exploitation Impact 


Privilege Escalation 


Exploitation Context 


root 


Exploitation Indicators 


none 


Prerequisites 


Local Command Execution 


Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


Replacement of system command 


12-016 Red Star OS Local Privilege Escalation 




Vulnerability Information 


Asset Type 


Internal 


Vulnerability Class 


Misconfigu ration 


Affected Versions Tested 


2.0 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 
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1 


2.0 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


x86-32 Red Star OS 2.0 


Attack Vector 


Local (Passive) 


Exploitation Impact 


Privilege Escalation 


Exploitation Context 


root 


Exploitation Indicators 


none 


Prerequisites 


Local Command Execution 


Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


Replacement of critical system command 


12-017 Red Star OS Local Privilege Escalation 




Vulnerability Information 


Asset Type 


Internal 


Vulnerability Class 


Misconfigu ration 


Affected Versions Tested 


2.0 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2.0 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


x86-32 Red Star OS 2.0 


Attack Vector 


Local (Passive) 


Exploitation Impact 


Privilege Escalation 


Exploitation Context 


root 


Exploitation Indicators 


none 


Prerequisites 


Local Command Execution 
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Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


Replacement of critical system command 


12-018 Red Star OS Local Privilege Escalation 

Vulnerability Information 


Asset Type 


Internal 


Vulnerability Class 


Misconfigu ration 


Affected Versions Tested 


2.0 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2.0 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


x86-32 Red Star OS 2.0 


Attack Vector 


Local (Passive) 


Exploitation Impact 


Privilege Escalation 


Exploitation Context 


root 


Exploitation Indicators 


none 


Prerequisites 


Local Command Execution 


Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


Replacement of critical system command 



12-019 Red Star OS Local Privilege Escalation 

Vulnerability Information 
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Asset Type 


Internal 


Vulnerability Class 


Misconfigu ration 


Affected Versions Tested 


2.0 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2.0 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


x86-32 Red Star OS 2.0 


Attack Vector 


Local (Passive) 


Exploitation Impact 


Privilege Escalation 


Exploitation Context 


root 


Exploitation Indicators 


none 


Prerequisites 


Local Command Execution 


Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


Replacement of system command 


12-020 Red Star OS Local Privilege Escalation 




Vulnerability Information 


Asset Type 


Internal 


Vulnerability Class 


Misconfigu ration 


Affected Versions Tested 


2.0 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 
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Vulnerability Test Matrix 





1 


2.0 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


x86-32 Red Star OS 2.0 


Attack Vector 


Local 


Exploitation Impact 


Privilege Escalation (Code Execution) 


Exploitation Context 


root 


Exploitation Indicators 


System Reboot* 


Prerequisites 


Local Command Execution 




Ability to reboot system* 


Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


Replacement of critical system command 



* An attacker initiated system reboot is required in the case of active exploitation; however it is possible 
for unprivileged users to reboot the system by default. Passive exploitation may also be employed which 
does not require a system reboot. 

12-021 Red Star OS Local Privilege Escalation 



Vulnerability Information 



Asset Type 


Internal 


Vulnerability Class 


Misconfigu ration 


Affected Versions Tested 


2.0 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2.0 


V 



Exploit / Proof-of-Concept Information 
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Supported Targets 


x86-32 Red Star OS 2.0 


Attack Vector 


Local (Passive) 


Exploitation Impact 


Privilege Escalation 


Exploitation Context 


root 


Exploitation Indicators 


none 


Prerequisites 


Local Command Execution 


Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


Replacement of system command 


12-022 Red Star OS Local Privilege Escalation 

Vulnerability Information 


Asset Type 


Internal 


Vulnerability Class 


Misconfigu ration 


Affected Versions Tested 


2.0 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 




Vulnerability Test Matrix 








1 




2.0 


V 


Exploit / Proof-of-Concept Information 


Supported Targets 


x86-32 Red Star OS 2.0 


Attack Vector 


Local (Passive) 


Exploitation Impact 


Privilege Escalation (Command Execution) 


Exploitation Context 


root 


Exploitation Indicators 


none 


Prerequisites 


Local Command Execution 


Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


Replacement of critical system command 
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12-023 Red Star OS Local Privilege Escalation 



Vulnerability Information 



Asset Type 


Internal 


Vulnerability Class 


Misconfigu ration 


Affected Versions Tested 


2.0 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2.0 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


x86-32 Red Star OS 2.0 


Attack Vector 


Local 


Exploitation Impact 


Privilege Escalation (Code Execution) 


Exploitation Context 


root 


Exploitation Indicators 


System Reboot* 


Prerequisites 


Local Command Execution 




Ability to reboot system* 


Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


Replacement of critical system command 



* An attacker initiated system reboot is required in the case of active exploitation; however it is possible 
for unprivileged users to reboot the system by default. Passive exploitation may also be employed which 
will trigger the payload upon the next and subsequent regularly-scheduled system reboots. 

12-024 Red Star OS Local System Reboot Privilege Escalation 



Vulnerability Information 



Asset Type 


Internal 


Vulnerability Class 


Misconfigu ration 
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Affected Versions Tested 


2.0 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2.0 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


x86-32 Red Star OS 2.0 


Attack Vector 


Local 


Exploitation Impact 


Privilege Escalation* 


Exploitation Context 


root 


Exploitation Indicators 


System Reboot 


Prerequisites 


Local Command Execution 


Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


Reboot via non-system command 



* The privilege escalation performed via this vulnerability only allows for execution of a system reboot 

without root privileges. 
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Chapter 13 



McAfee, Inc. 



"McAfee for Consumers[25] delivers world-class retail and online solutions designed to secure, protect, 
and optimize the computers of consumers and home office users. 

McAfee's advanced retail desktop solutions include premier anti-virus, security, encryption, and desktop 
optimization software. McAfee's managed Web security services employ a patented system and process 
of delivering software through an Internet browser to provide these services to users online through its 
Web site, home.mcafee.com. This Web site is one of the largest paid subscription sites on the Internet 
with over two million active paid subscribers. 

With headquarters in Santa Clara, California, McAfee, Inc., is a leading supplier of network security and 
availability solutions. McAfee creates best-of-breed computer security solutions that prevent intrusions 
on networks and protect computer systems from the next generation of blended attacks and threats. 
More information on McAfee is available at www.mcafee.com. 

All McAfee products are backed with the respected anti-virus research organization such as McAfee 
AVERT, which protects McAfee customers against the latest and most complex virus attacks. Quick 
Facts" 



13.1 ePolicy Orchestrator 

"McAfee ePolicy Orchestrator (McAfee ePO)[26] is the most advanced, extensible, and scalable cen- 
tralized security management software in the industry. Unifying security management through an open 
platform, McAfee ePO makes risk and compliance management simpler and more successful for organi- 
zations of all sizes. As the foundation of McAfee Security Management Platform, McAfee ePO enables 
customers to connect industry-leading security solutions to their enterprise infrastructure to increase 
visibility, gain efficiencies, and strengthen protection. And now with Real Time for McAfee ePO, admin- 
istrators can see critical product details in seconds and remediate security issues directly on endpoints as 
events are happening. 

Customers use McAfee ePOs flexible automation capabilities to streamline workflows, dramatically re- 
ducing the cost and complexity of security and compliance administration. 
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Security providers and system integrators can extend the reach of their offerings by incorporating their 
expertise and best practices with the McAfee ePO platform to deliver differentiated solutions." 

13-019 McAfee ePolicy Orchestrator Privileged Remote Code Execution 



Asset Information 



Asset Type 


Internal 


Asset Availability 


Exclusive Purchase 
Non-Exclusive Purchase 
Monthly License 


Listing Date 


2013-09-23 


Expiration Date 




Vulnerability Information 


Target 


McAfee ePolicy Orchestrator 


Vulnerability Class 


Input Validation 


Affected Versions Tested 


5.1.0 
5.0.1 
5.0.0 


Affected Versions Assumed 




Unaffected Versions 


4.6.5 


Affected Platforms Tested 


1: Microsoft Windows Server 2012 
2: Microsoft Windows Server 2008 R2 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


5.1.0 


V 


V 


5.0.1 


V 


V 


5.0.0 


V 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


1: 


5.1.0 


on Microsoft Windows Server 


2012 






2: 


5.0.1 


on Microsoft Windows Server 


2012 






3: 


5.0.1 


on Microsoft Windows Server 


2012 






4: 


5.1.0 


on Microsoft Windows Server 


2008 


R2 




5: 


5.0.0 


on Microsoft Windows Server 


2008 


R2 




6: 


5.0.0 


on Microsoft Windows Server 


2008 


R2 
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Attack Vector 


Remote 


Exploitation Impact 


Code Execution 


Exploitation Context 


NT-Authority\ system 


Windows Integrity Level 


System 


Exploitation Indicators 


Exploit stager script stored temporarily on the target system 
Log entries in database and web server log files 


Prerequisites 




Reliability Rating 


Target 1: Completely (100%) 
Target 2: Completely (100%) 
Target 3: Completely (100%) 
Target 4: Completely (100%) 


Exploit Failure Behavior 




Development Status 


Complete 


Development Phase 


Professional Exploit: Metasploit Exploit Module 
Post-exnloitation Client Comnromise Module 
Database user password decryption tool 


Development Goal 


Professional Exploit: Metasploit Exploit Module 
Post-exploitation Client Compromise Module 
Database user password decryption tool 


Exploit Features 


Post-exploitation cleanup (removal of stager) 

Post-exploitation module can be leveraged to deliver a privileged 
payload to all systems executing the ePolicy Agent software which are 
managed by the ePolicy server, effectively allowing the compromise 
of an entire enterprise. 



13-024 McAfee ePolicy Orchestrator Post-Auth Privileged Remote Code 
Execution 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 
Non-Exclusive Purchase 
Monthly License 


Listing Date 


2013-11-25 


Expiration Date 




Vulnerability Information 


Target 


McAfee ePolicy Orchestrator 


Vulnerability Class 


Input Validation 


Affected Versions Tested 


5.1.0 
5.0.1 
5.0.0 
4.6.6 
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4.6.5 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: Microsoft Windows Server 2012 
2: Microsoft Windows Server 2008 R2 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


5.1.0 


V 




5.0.1 


V 


V 


5.0.0 


V 


V 


4.6.6 




V 


4.6.5 




V 



Exploit / Proof-of-Concept Information 



Supported Targets 


1: 5.1.0 


on Microsoft Windows Server 2012 




2: 5.0.1 


on Microsoft Windows Server 2012 




3: 5.0.1 on Microsoft Windows Server 2008 R2 




4: 5.0.0 


on Microsoft Windows Server 2012 




5: 5.0.0 on Microsoft Windows Server 2008 R2 




6: 4.6.6 on Microsoft Windows Server 2008 R2 




7: 4.6.5 on Microsoft Windows Server 2008 R2 


Attack Vector 


Remote 


Exploitation Impact 


Code Execution 


Exploitation Context 


NT-Authority\ system 


Windows Integrity Level 


System 


Exploitation Indicators 


Exploit stager script stored temporarily on the target system 
Log entries in database and web server log files 


Prerequisites 


Authenticated session as any valid user 


Reliability Rating 


Target 1 


Completely (100%) 




Target 2 
Target 3 


Completely (100%) 
Completely (100%) 




Target 4 


Completely (100%) 




Target 5 


Completely (100%) 




Target 6 


Completely (100%) 




Target 7 


Completely (100%) 


Exploit Failure Behavior 




Exploit Features 


Post-exploitation cleanup (removal of stager) 
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Vulnerability can be further leveraged to deliver a privileged payload 
to all systems executing the ePolicy Agent software which are man- 
aged by the ePolicy server, effectively allowing the compromise of an 
entire enterprise.* 


Development Status 


Complete 


Deliverables 


Professional Exploit: Metasploit Exploit Module 
Post-exploitation Client Compromise Instructional 
Database user password decryption tool 



* Metasploit post-exploitation module can be developed upon request to implement Agent systems com- 
promise. 
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Chapter 14 



Microsoft Corporation 



"At Microsoft [27], we're motivated and inspired every day by how our customers use our software to find 
creative solutions to business problems, develop breakthrough ideas, and stay connected to what's most 
important to them. 

We run our business in much the same way, and believe our five business divisions offer the greatest 
potential to serve our customers. They are: 

• Windows Windows Live Division : Includes the Windows product family and is responsible for our 
relationships with personal computer manufacturers as well as online software and services through 
Windows Live. 

• Server and Tools : Software server products, services and solutions, including: Windows Server op- 
erating system, Microsoft SQL Server, Visual Studio, Silverlight, System Center products, Forefront 
security products, Biz Talk Server, and Microsoft Consulting Services. 

• Online Services Division : Consists of an online advertising platform with offerings for publishers 
and advertisers, and online information offerings such as Bing and the MSN portals and channels. 

• Microsoft Business Division : Includes the Microsoft Office suites, desktop programs, servers, and 
services and solutions; Microsoft Dynamics; and Unified Communications business solutions. 

• Entertainment and Devices Division : Consists of the Xbox video game system, including consoles 
and accessories, Xbox Live operations, Zune digital music and entertainment device; Mediaroom, 
mobile and embedded device platforms, Surface computing platform, and Windows Automotive. 

We are committed long term to the mission of helping our customers realize their full potential. Just as 
we constantly update and improve our products, we want to continually evolve our company to be in the 
best position to accelerate new technologies as they emerge and to better serve our customers." 



October 6, 2014 



CONFIDENTIAL 



Page 67 of 134 



Assets Portfolio 



14.1 Internet Explorer 

"Fast, safe, and easy. Internet Explorer[28] takes the web experience beyond the page for quicker and 
more reliable browsing with peace of mind." 

12-026 Internet Explorer 8 Remote Code Execution 



Vulnerability Information 



Asset Type 


Brokered 


Listing Date 


2012.05.17 


Vulnerability Class 


Memory Corruption 


Affected Versions Tested 


8.0.7601.17514 
8.0.6001.18702* 


Affected Versions Assumed 




Unaffected Versions 


9 
7 
6 


Affected Platforms Tested 


1: Microsoft Windows 7 SP1 FP(2012.05.17) 
2: Microsoft Windows Vista SP2 FP(2012.05.17) 
3: Microsoft Windows XP SP3 FP(2012.05.17) 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


3 


8.0.7601.17514 


V 


V 


V 


8.0.6001.18702 


V 


V 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


8 on Microsoft Windows 7 SP1 FP 
8 on Microsoft Windows Vista SP2 FP 
8 on Microsoft Windows XP SP3 FP 


Attack Vector 


Remote 


Exploitation Impact 


Code Execution 


Exploitation Context 


User 


Windows Integrity Level 


Low 


Exploitation Indicators 


Execution of payload 


Prerequisites 


Javascript 


Reliability Rating 


High (95%)** 


Development Status 


In Development 
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Development Phase 


Proof-of-Concept*** 


Development Goal 


Exploit 


Exploit Features 


Process continuation**** 



* With different patches: From never updated to fully updated (passing by updated to 2011, Jan). 

** The provided exploit may not work well against systems with low mememory, as a large heap spray 
is required in order to achieve exploitation. Systems with low memory may not have the required large 
address space to spray. 

*** Proof-of-Concept currently requires DEP to be disabled on the ASLR-based target platforms. 
**** Process continuation improved on target platforms with DEP turned on. 

13-009 Microsoft Internet Explorer Client-side Remote Code Execution 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 
Non-Exclusive Purchase 
Monthly License 


Listing Date 


2013.05.07 


Expiration Date 




Vulnerability Information 


Target 


Microsoft Internet Explorer 


Vulnerability Class 


Memory Corruption 


Affected Versions Tested 


9.0.16 (9.0.8112.16421) 
9.0.15 (9.0.8112.16421) 
9.0.14 (9.0.8112.16421) 
9.0.13 (9.0.8112.16421) 
9.0.12 (9.0.8112.16421) 
9.0.10 (9.0.8112.16421) 
9.0.9 (9.0.8112.16421) 
9.0.7 (9.0.8112.16421) 
9.0.6 (9.0.8112.16421) 
8.00.7601.18106 (8.0.7601.17514)* 
8.00.7601.18094 (8.0.7601.17514)* 
8.00.7601.18035 (8.0.7601.17514)* 
8.00.7601.17940 (8.0.7601.17514)* 
8.00.7601.17874 (8.0.7601.17514)* 
8.00.7601.17824 (8.0.7601.17514)* 
8.00.7601.17785 (8.0.7601.17514)* 
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Affected Versions Assumed 


9.x 
8.x 


Unaffected Versions 


10.x 


Affected Platforms Tested 


1: x86-64 Microsoft Windows 7 SP1** 
2: x86-32 Microsoft Windows 7 SP1 
3: x86-32 Microsoft Windows XP SP3 


Affected Platforms Assumed 


Microsoft Windows 7 SPO*** 


Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


3 


9.0.16 


V 


V 




9.0.15 


V 


V 




9.0.14 


V 


V 




9.0.13 


V 


V 




9.0.12 


V 


V 




9.0.10 


V 


V 




9.0.9 


V 


V 




9.0.7 


V 


V 




9.0.6 


V 


V 




8.00.7601.18106 


V 


V 


V 


8.00.7601.18094 


V 


V 




8.00.7601.18035 


V 


V 




8.00.7601.17940 


V 


V 




8.00.7601.17874 


V 


V 




8.00.7601.17824 


V 


V 




8.00.7601.17785 


V 


V 





Exploit / Proof-of-Concept Information 



Supported Targets 


9.0.16 on Microsoft Windows 7 SP1 




9.0.15 on Microsoft Windows 7 SP1 




9.0.14 on Microsoft Windows 7 SP1 




9.0.13 on Microsoft Windows 7 SP1 




9.0.12 on Microsoft Windows 7 SP1 




9.0.10 on Microsoft Windows 7 SP1 




9.0.9 on Microsoft Windows 7 SP1 




9.0.7 on Microsoft Windows 7 SP1 




9.0.6 on Microsoft Windows 7 SP1 




8.00.7601.18106 on Microsoft Windows 7 SP1 




8.00.7601.18106 on x86-32 Microsoft Windows XP SP3 




8.00.7601.18094 on Microsoft Windows 7 SP1 




8.00.7601.18035 on Microsoft Windows 7 SP1 



Table continued on next page... 



October 6, 2014 



CONFIDENTIAL 



Page 70 of 134 



Assets Portfolio 



- continued from previous page. 





8.00.7601.17940 on Microsoft Windows 7 SP1 




8.00.7601.17874 on Microsoft Windows 7 SP1 




8.00.7601.17824 on Microsoft Windows 7 SP1 




8.00.7601.17785 on Microsoft Windows 7 SP1 


Attack Vector 


Client-side Remote 


Exploitation Impact 


Code Execution 


Exploitation Context 


Windows 7: User 
Windows XP: Admin 


Windows Integrity Level 


Windows 7: Low 


Exploitation Indicators 




Prerequisites 


Javascript 


Reliability Rating 


High (>90%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


Handles ASLR dynamically via version detection 
Avoids DEP 

Target platform agnostic 

Process continuation 

Post-exploitation process cleanup 

No shellcode character or size limitations 

Full error condition handling with clean exits 



* Internet Explorer 8 uses the same version string across all patchlevels (8.0.7601.17514 update version 
0) so version is identified by mshtml-version string. 

** Internet Explorer processes tested on x86-64 Microsoft Windows 7 were WOW64 processes; True 
64-bit target processes are not supported. 

*** The exploit for this vulnerability is independent of platform patchlevel and should work across all 
service packs and patchlevels of the indicated platforms. 



14.2 Microsoft Office 

"Microsoft Office [29] is the essential software suite for homes and small businesses that enables you to 
quickly and easily create great-looking documents, spreadsheets, and presentations, and manage e-mail." 

12-035 Microsoft Office Client-Side Remote Code Execution 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Non-Exclusive Purchase 
Monthly License 
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Listing Date 


2012.07.23 


Expiration Date 




Vulnerability Class 


Design Flaw 


Affected Versions Tested 


Word 2007 SP2 FP(2012. 07.17) 
Excel 2007 SP2 FP(2012.07.17) 
Powerpoint 2007 SP2 FP(2012.07.17) 


Affected Versions Assumed 




Unaffected Versions 


2013 
2010 
2003 


Affected Platforms Tested 


1- x86-32 Microsoft Windows 2003 SP2 
2: x86-32 Microsoft Windows XP SP3 


Affected Platforms Assumed 


Microsoft Windows 2003 
Microsoft Windows XP 


Unaffected Platforms 


Microsoft Windows Server 2012 
Microsoft Windows Server 2008 R2 
Microsoft Windows Server 2008 
Microsoft Windows 8 Release Preview 
Microsoft Windows 7 
Microsoft Windows Vista 


Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix* 





1 


2 


Word 2007 


V 


V 


Excel 2007 


V 


V 


Powerpoint 2007 


V 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


Word 2007 SP2 FP(2012.07.17) on x86-32 Microsoft Windows 2003 
SP2 

Word 2007 SP2 FP(2012.07.17) on x86-32 Microsoft Windows XP 
SP3 

Excel 2007 SP2 FP(2012.07.17) on x86-32 Microsoft Windows 2003 
SP2 

Excel 2007 SP2 FP(2012. 07.17) on x86-32 Microsoft Windows XP 
SP3 

Powerpoint 2007 SP2 FP(2012.07.17) on x86-32 Microsoft Windows 
2003 SP2 

Powerpoint 2007 SP2 FP(2012. 07.17) on x86-32 Microsoft Windows 
XP SP3 


Attack Vector 


Client-Side 


Exploitation Impact 


Code Execution 
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Exploitation Context 


User 


Windows Integrity Level 




Exploitation Indicators 




Prerequisites 




Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 





* Vulnerability testing involves two scenarios; double-clicking on the malicious file and opening the 
malicious file through the "Open File" menu within the application. Word and Powerpoint versions are 
vulnerable to the former while Excel is vulnerable to the latter. 



14.3 Windows 

"The Windows product family[30] comprises Microsoft's flagship operating system." 



10-019 Windows Core Component Client-Side Remote Code Execution 

Vulnerability Information 



Asset Type 


Brokered 


Affected Platforms Tested 


Internet Explorer 6 on 32-bit x86 Microsoft Windows XP 


Affected Platforms Assumed 




Unaffected Platforms 




Affected Versions Tested 


SP3 


Affected Versions Assumed 


SP0-SP2 


Unaffected Versions 




Reliability Rating 


Completely (100%) 


Exploit / Proof-of-Concept Information 


Supported Platforms 


Internet Explorer 6 on 32-bit x86 Microsoft Windows XP 


Supported Versions 


SP3 


Attack Vector 


Client-Side 


Exploitation Impact 


Code Execution 


Exploitation Context 


User 


Exploitation Indicators 




Prerequisites 


Internet Explorer 
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Reliability Rating 


Partial (50%) 


Development Status 


Multiple Proof-of-Concepts and one Exploit* 


Development Phase 


Active 


Development Goal 


Reliable Exploit 



* The multiple Proof-of-Concepts provided with this vulnerability's materials demonstrate multiple vectors 
available to trigger the vulnerability. The Exploit provided uses one of these vectors to achieve code 
execution, although execution is currently only partially reliable. 

12-002 Microsoft Windows XP Kernel Local Privilege Escalation 



Vulnerability Information 



Asset Type 


Brokered 


Vulnerability Class 


Memory Corruption 


Affected Versions Tested 


XP SP0-SP3 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 


Affected Platforms Assumed 




Unaffected Platforms 


x86-64 


Reliability Rating 


Completely (100%) 




Vulnerability Test Matrix 








1 




XP SP0-SP3 


V 


Exploit / Proof-of-Concept Information 


Supported Targets 


x86-32 Microsoft Windows XP SP0-SP3 


Attack Vector 


Local 


Exploitation Impact 


Privilege Escalation 


Exploitation Context 


SYSTEM 


Windows Integrity Level 


n/a 


Exploitation Indicators 




Prerequisites 




Reliability Rating 


Completely (100%) 


Development Status 


Active 


Development Phase 


Debugging 


Development Goal 


Exploit 


Exploit Features 
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12-003 Microsoft Windows Local Privilege Escalation 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Non-exclusive Sale 
Monthly License 


Vulnerability Class 


Design Flaw 


Affected Versions Tested 


XP SP0-SP3 (FP 2013.01.14) 
2003 SP0-SP2 (FP 2013.01.14) 


Affected Versions Assumed 




Unaffected Versions 


Vista 

Windows 7 
2008 


Affected Platforms Tested 


1: x86-32 
2: x86-64 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


XP SP0-SP3 ! 


V 


V 


2003 SP0-SP2 


V 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


x86-32 Windows XP SP0-SP3 (FP 2013.01.14) 
x86-64 Windows XP SP0-SP3 (FP 2013.01.14) 
x86-32 Windows 2003 SP0-SP2 (FP 2013.01.14) 
x86-64 Windows 2003 SP0-SP2 (FP 2013.01.14) 


Attack Vector 


Local 


Exploitation Impact 


Code Execution 
Command Execution 


Exploitation Context 


RingO (code execution) 

NT AUTHORITY\SYSTEM (command execution) 


Windows Integrity Level 




Exploitation Indicators 




Prerequisites 




Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Exploit 

Metasploit post-exploitation module 


Development Goal 


Exploit 

Metasploit post-exploitation module 
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Exploit Features 



- continued from previous page. 
Automatic Architecture/OS detection and target selection at run- 
time 

Allows execution of an arbitrary command such as cmd.exe 
Metasploit post-exploitaion module version can be executed from 
Meterpreter to elevate privileges 

RingO shellcode that replaces the token of the process of your choice 
with an NT AUTHORITY\SYSTEM token 



12-004 Microsoft Windows Local Protection Bypass 



Asset Information 



Asset Type 


Brokered 


Vulnerability Class 


Input Validation 


Affected Versions Tested 


Vista SP0-SP2 




7 SP0-SP1 




Server 2008 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 


Affected Platforms Assumed 




Unaffected Platforms 


x86-64 


Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


Vista SP0-SP2 


V 


7 SP0-SP1 


V 


Server 2008 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


x86-32 Microsoft Windows Vista SP0-SP2 
x86-32 Microsoft Windows 7 SP0-SP1 
x86-32 Microsoft Windows Server 2008 


Attack Vector 


Local 


Exploitation Impact 


Protection Bypass* 


Exploitation Context 


SYSTEM 


Windows Integrity Level 


High 


Exploitation Indicators 


Exploit Executable Present** 


Prerequisites 


Administrator Access 


Reliability Rating 


Completely (100%) 


Development Status 


Complete 
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Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 





* Bypass provides Administrator to RingO access. 

** Post-exploitation cleanup can be added at Customer's request. 



13-013 Microsoft Windows Kernel Local Privilege Escalation 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 




Non-Exclusive Purchase 




Monthly License 


Listing Date 


2013.06.22 


Expiration Date 




Vulnerability Information 


Target 


Microsoft Windows Kernel 


Vulnerability Class 


Memory Corruption 


Affected Versions Tested 


8 SPO (FP:2013-08-10) 




7 SP1 (FP:2013-08-10) 




Vista SP2 (FP:2013-08-10) 




XP SP3 (FP:2013-08-10) 




Server 2012 




Server 2008 SP1 




Server 2008 SP2 




Server 2008 R2 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-64 




2: x86-32 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


8 SPO 


V 


V 


7 SP1 


V 


V 
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1 


2 


Vista SP2 


V 


V 


XP SP3 




V 


Server 2012 


V 


V 


Server 2008 SP1 


V 


V 


Server 2008 SP2 


V 


V 


Server 2008 R2 


V 


V 



Exploit / Proof-of-Concept Information 



Supported Targets* 


x86-32 Microsoft Windows 8 
x86-64 Microsoft Windows 7 SP1 
x86-32 Microsoft Windows 7 SP1 
x86-64 Microsoft Windows Vista SP2 
x86-32 Microsoft Windows Vista SP2 
x86-64 Microsoft Windows Server 2008 SP2 
x86-32 Microsoft Windows Server 2008 SP2 


Attack Vector 


Local 


Exploitation Impact 


Code Execution 


Exploitation Context 


SYSTEM 


Windows Integrity Level 


High 


Exploitation Indicators 


Denial of service (BSOD) on exploitation failure of single-core targets 


Prerequisites 




Reliability Rating 


x86-32 Microsoft Windows 8 SP0: Complete (100%)** 

x86-64 Microsoft Windows 7 SP1 Professional: Complete (100%)** 

x86-64 Microsoft Windows 7 SP1 Ultimate- Comnlete ('\0C)%)** 

1JT IVIH_ll_/3l_ML VVIIIU UVV3 / Jl J. \J \ L \ 1 1 1 a LC. V-UI 1 1 yJ 1 C LC 1 lUu/OI 

x86-32 Microsoft Windows 7 SP1 Professional: Very High 
(99.93%)** 

x86-32 Microsoft Windows 7 SP1 Ultimate: Very High (99.79%)** 
x86-64 Microsoft Windows Vista SP2 Starter: Complete (100%)** 
x86-64 Microsoft Windows Vista SP2 Home Basic: Very High 
(99.89%)** 

x86-64 Microsoft Windows Vista SP2 Home Premium: Very High 
(99.75%)** 

x86-64 Microsoft Windows Vista SP2 Business: Complete (100%)** 
x86-64 Microsoft Windows Vista SP2 Ultimate: Complete (100%)** 
x86-32 Microsoft Windows Vista SP2 Starter: Complete (100%)** 
x86-32 Microsoft Windows Vista SP2 Home Basic: Complete 
(100%)** 

x86-32 Microsoft Windows Vista SP2 Home Premium: Very High 
(99.85%)** 

x86-32 Microsoft Windows Vista SP2 Business: Very High 
(99.85%)** 

x86-32 Microsoft Windows Vista SP2 Ultimate: Complete (100%)** 
x86-64 Microsoft Windows Server 2008 SP2 Standard: Complete 
(100%)** 
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x86-64 Microsoft Windows Server 2008 SP2 Enterprise: Complete 
(100%)** 

x86-64 Microsoft Windows Server 2008 SP2 Datacenter: Very High 
(99.72%)** 

x86-32 Microsoft Windows Server 2008 SP2 Standard: Complete 
(100%)** 

x86-32 Microsoft Windows Server 2008 SP2 Enterprise: Very High 
(99.95%)** 

x86-32 Microsoft Windows Server 2008 SP2 Datacenter: Compete 
(100%)** 


Development Status 


Active 


Development Phase 


Exploit 


Development Goal 


Exploit with 95% reliability or better 


Exploit Features 


Process continuation 



* Exploit support for other Affected Versions (8, XP SP3) available upon request. 

** The exploitation method uses a memory spray type technique. As with all such techniques there is a 

margin for error resulting in less than 100% reliability. 



13-020 Microsoft Windows Kernel Local Privilege Escalation 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 




Non-Exclusive Purchase 




Monthly License 


Listing Date 


2013-10-14 


Expiration Date 




Vulnerability Information 


Target 


Microsoft Windows Kernel 


Vulnerability Class 


Logic Flaw 


Affected Versions Tested 


8.1 SP0 FP(2013-10-10)* 




7 SP1 FP(2013-10-10) 


Affected Versions Assumed 


Vista 


Unaffected Versions 


XP and older 


Affected Platforms Tested 


1: x86-32* 


Affected Platforms Assumed 


x86-64 


Unaffected Platforms 




Reliability Rating 


Completely (100%) 
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Vulnerability Test Matrix 





1 


8.1 SPO FP(2013.10.10) 


V 


7 SP1 FP(2013.10.10) 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


1: x86-32 Microsoft Windows 7 SP1 FP(2013-10-10) 


Attack Vector 


Local 


Exploitation Impact 


Privilege Escalation 


Exploitation Context 


SYSTEM 


Windows Integrity Level 


System 


Exploitation Indicators 


Minor memory leak 


Prerequisites 




Reliability Rating 


Target 1: Completely (100%) 


Exploit Failure Behavior 




Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 





* While the vulnerability is present in Windows 8 and x86-64 Windows 7, the vulnerability is only ex- 
ploitable on x86-32 versions of Windows prior to Windows 8 due to NULL pointer dereference exploitation 
mitigation introduced in Windows 8 which was back-ported to x86-64 Windows 7. 



14-005 Microsoft Windows Local Privilege Escalation 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 




Non-Exclusive Purchase 




Monthly License 


Listing Date 


2014-03-31 


Expiration Date 




Vulnerability Information 


Target 


Microsoft Windows 


Vulnerability Class 


Memory Corruption 


Affected Versions Tested 


7 SP1 (FP:2014-03-21) 


Affected Versions Assumed 
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Unaffected Versions 


8 


Affected Platforms Tested 


1: x86-32 


Affected Platforms Assumed 




Unaffected Platforms 


2: x86-64 


Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


7 SP1 (FP:2014-03021) 


V 


N 


8 


N 


N 



Asset Deliverables 



Documentation 


Asset Dossier including technical vulnerability and exploit documen- 
tation 


Exploits 


14-005-1 


Exploit / Proof-of-Concept Information 


Exploit ID 


14-005-1 


Supported Targets 


1: x86-32 Windows 7 SP1 (FP:2014-03-21) 


Attack Vector 


Local Executable 


Exploitation Impact 


Privilege Escalation 


Exploitation Context 


SYSTEM 


Windows Integrity Level 


High 


Exploitation Indicators 




Prerequisites 




Reliability Rating 


Target 1: Very High (99%) 


Exploit Failure Behavior 


System continues operating 


Exploit Features 




Development Status 


Complete 


Deliverables 


Exploit 
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Chapter 15 



Mozilla Corporation 

"What is Mozilla?[31]? 

Were a global community of thousands who sincerely believe in the power of technology to enrich peoples 
lives. 

Were a public benefit organization dedicated not to making money but to improving the way people 
everywhere experience the Internet. 

And were an open source software project whose code has been used as a platform for some of the 
Internets most innovative projects. 



15.1 Firefox 

"The Firefox[32] browser is created by Mozilla, a non-profit organization whose mission is to promote 
openness, innovation and opportunity on the Web." 

14-008 Mozilla Firefox Client-side Remote Code Execution 



Sale Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 




Non-Exclusive Purchase 




Monthly License 


Listing Date 


2014-10-06 


Expiration Date 





Vulnerability Information 
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Target 


Mozilla Firefox 


Target Bundles 




Vulnerability Class 


Memory Corruption 


Affected Versions Tested 


32.0.3 




32.0 




31.0 




30.0 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 Microsoft Windows 7 SP1 (FP:2014-10-05) 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


32.0.3 


V 


32.0 


V 


31.0 


V 


30.0 


V 



Asset Deliverables 



Documentation 


14-008-0 - Asset Dossier including technical vulnerability and exploit 
documentation 


Exploits 


14-008-1 - Metasploit Exploit Module 


Exploit / Proof-of-Concept Information 


Exploit ID 


14-008-1 


Supported Targets 


1: 32.0.3 on x86-32 Microsoft Windows 7 SP1 (FP:2014-10-05) 


Attack Vector 


Client-side Remote 


Exploitation Impact 


Code Execution 


Exploitation Context 


User 


Windows Integrity Level 


Medium 


Exploitation Indicators 


Target software crashes 


Prerequisites 


Javascript support in Firefox 


Reliability Rating 


Target 1: Completely (100%) 


Exploit Failure Behavior 


Target software crashes 


Exploit Features 


ASLR Handled 
DEP Bypassed 


Development Status 


Active 


Development Goal 
Deliverables 


Final tweaks and speed increase 
Metasploit Exploit Module 
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Chapter 16 



Multiple Vendors 



"This section is for vulnerability listings that affect multiple vendors. Specific vendor information will be 
included in the subsections." 



16.1 Multiple BSD Jails 

Jails, or virtualized root systems, for BSD-based operating systems enforce a virtualized system environ- 
ment for a user or process to operate within. 

13-006 Multiple BSD Jail Local Jail Escape and Privileged Command 
Execution 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 
Non-Exclusive Purchase 
Monthly License 


Listing Date 


2013.05.06 


Expiration Date 




Vulnerability Information 


Target 


Dirk Engling's ezjail on PC-BSD* 
FreeBSD Warden on FreeBSD* 


Vulnerability Class 


Design Flaw 


Affected Versions Tested 


ezjail 3.2.3 
Warden 1.1.2 


Affected Versions Assumed 
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Unaffected Versions 




Affected Platforms Tested 


1: FreeBSD 9.0-1 
2: FreeBSD 8.x 
3: PC-BSD 9.1 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


High (95%) when targeting Warden Ports Jail Configuration 
Medium (40%) when targeting Warden Traditional Jail Configura- 
tion 

Medium (40%) when targeting ezjail 



Vulnerability Test Matrix 





1 


2 


3 


ezjail 3.2.3 


V 


V 




Warden 1.1.2 






V 



Exploit / Proof-of-Concept Information 



Supported Targets 


ezjail 3.2.3 on FreeBSD 9.0-1 
ezjail 3.2.3 on FreeBSD 8.x 
Warden 1.1.2 on PC-BSD 9.1 


Attack Vector 


Local 


Exploitation Impact 


Jail Escape 
Command Execution 


Exploitation Context 


root 

Targeted User 


Exploitation Indicators 


Miscellaneous files used in exploitation 


Prerequisites 


User write permissions to target file or directory 

ezjail: External system user must perform file write action 

Warden: Shared Filesystem 


Reliability Rating 


High (95%) when targeting non-syslog file writes 
High (80%) when targeting syslog file writes 


Development Status 


Complete 


Development Phase 


Proof-of-Concept 
Instructable 


Development Goal 




Exploit Features 





* The vulnerability exists due to a design flaw in the interaction of the jail software and the operating 
system rather than in either the jail software or operating system themselves. 
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Chapter 17 

Multiple Anti- Virus and 
Ant i- Mai ware Vendors 



17.1 Multiple Anti- Virus and Anti-Malware Products 

10-014 Malicious Portable Executable Detection Bypass 

Vulnerability Information 



Asset Type 


Brokered 


Affected Platforms Tested 


Windows 2000 SP4 




Windows XP SP2 




Windows XP x64 




Windows 7 x86 


Affected Platforms Assumed 


All Microsoft Windows 


Unaffected Platforms 




Affected Versions Tested 


AhnLab-V3 2010.06.15.01 




Avira AntiVir 7.11.0.73, 8.2.2.6 




Antiy-AVL 2.0.3.7 




Avast 4.8.1351.0, 5.0.332.0, 5.0.677.0 




AVG 9.0.0.787, 9.0.0.851 




BitDefender 7.2 




CAT-QuickHeal 10.00, 11.00 




ClamAV 0.96.0.3-git, 0.96.4.0 




Command 5.2.11.5, Authentium 5.2.0.5 




Comodo 5113, 7088 




DrWeb 5.0.2.03300 




Emsisoft 5.1.0.1, a-squared 5.0.0.26 




eSafe 7.0.17.0 




CA eTrust-Vet 36.1.7636, 36.1.8046 
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RiQino- AV 99 R1 Oft 01 99 7£ 03 Oft 




C nn hnc A\/ A RA 0 A (SO 0 




SUPERAntiSpyware 4.40.0.1006 




Symantec 20101.1.0.89, 20101.3.0.103, and Norton 360 (latest, full 




install mode) 




TheHacker 6.5.2.0.299 




TrendMicro Titanium 9.120.0.1004 and HouseCall 9.120.0.1004 




GFI VIPRE 7684, Sunbelt 6451 




VirusBlokada VBA32 3.12.12.5, 3.12.14.2 




ViRobot 2010.6.14.3884, 2010.12.17.4205 




VirusBuster 5.0.27.0, 13.6.98.1 


Affected Versions Assumed 


Other versions of Affected Versions Tested 


Reliability Rating 


Complete (100%) 



Exploit / Proof-of-Concept Information 



Supported Platforms 


Windows 2000 SP4 




Windows XP SP2 




Windows XP x64 




Windows 7 x86 


Supported Versions 


AhnLab-V3 2010.06.15.01 




Avira AntiVir 7.11.0.73, 8.2.2.6 




Antiy-AVL 2.0.3.7 




Avast 4.8.1351.0, 5.0.332.0, 5.0.677.0 




AVG 9.0.0.787, 9.0.0.851 




BitDefender 7.2 




CAT-QuickHeal 10.00, 11.00 




ClamAV 0.96.0.3-git, 0.96.4.0 




Command 5.2.11.5, Authentium 5.2.0.5 




Comodo 5113, 7088 
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Attack Vector 


DrWeb 5.0.2.03300 

Emsisoft 5.1.0.1, a-squared 5.0.0.26 

eSafe 7.0.17.0 

CA eTrust-Vet 36.1.7636, 36.1.8046 

F-Prot 4.6.0.103, 4.6.2.117 

F-Secure 9.0.15370.0, 9.0.16160.0 

Fortinet 4.1.133.0, 4.2.254.0 

GData 2010 (21) 

Ikarus T3. 1.1. 84.0, T3. 1.1. 90.0 

Jiangmin 13.0.900 

K7 Antivirus 9.73.3267 

Kaspersky 7.0.0.125, 11.0.1.400, and latest suite in full install mode 

McAfee 5.400.0.1158 and GW-Edition 

Microsoft Forefront 1.5802, 1.6402 

ESet NOD32 5199, 5701 

Norman 6.04.12, 6.06.12 

nProtect 2010-06-15.02 

Panda 10.0.2.7 and latest suite in full install mode 
PCTools 7.0.3.5 
Prevx 3.0 

Rising AV 22.51.06.01, 22.78.03.06 
Sophos AV 4.54.0, 4.60.0 
SUPERAntiSpyware 4.40.0.1006 

Symantec 20101.1.0.89, 20101.3.0.103, and Norton 360 (latest, full 
install mode) 
TheHacker 6.5.2.0.299 

TrendMicro Titanium 9.120.0.1004 and HouseCall 9.120.0.1004 

GFI VIPRE 7684, Sunbelt 6451 

VirusBlokada VBA32 3.12.12.5, 3.12.14.2 

ViRobot 2010.6.14.3884, 2010.12.17.4205 

VirusBuster 5.0.27.0, 13.6.98.1 

File Format / Client-Side 


Exploitation Impact 


Detection Bypass 


Exploitation Context 


Not Applicable 


Exploitation Indicators 


Malformed Portable Executable (PE) files on filesystem 


Reliability Rating 


Complete (100%) 


Development Status 


Complete 


Development Phase 


Utility 


Development Goal 


Utility 



This vulnerability is a logic flaw in the way that the vulnerable products handle Portable Executable files. 
Due to the underlying reason that the products behave in the way that they do, this flaw is thought to 
be fairly ubiquitous among these types of products. 

The utility provided with the vulnerability materials can modify any known-malicious Portable Executable 
(PE) file into a format that will bypass anti-virus and anti-malware detection while retaining it's executable 
capability. 
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Chapter 18 



Novell 



"Novell[33] is a leading provider of infrastructure software. Our vision is helping people and technology 
to work as one. Our mission is to help customers reduce the cost, complexity and risk of computing on 
any platform." 



18.1 Novell Clients 

"The Novell Client workstation software[34] extends the capabilities of Linux and Windows desktops by 
providing access to NetWare and Open Enterprise Server (OES). Once installed on workstations, Novell 
Clients enable users to enjoy the full range of Novell services such as authentication via Novell eDirectory, 
network browsing and service resolution, and secure and reliable file system access-all delivered through 
industry-standard protocols. The Client supports Novell's traditional NCP protocol." 



10-004 Novell Client Remote Code Execution 

Vulnerability Information 



Asset Type 


Brokered 


Affected Platforms Tested 


32-bit x86 Windows 2000 SP4 




32-bit x86 Windows XP SP3 




32-bit x86 Windows 2003 SP2 


Affected Platforms Assumed 


All 32-bit x86 Windows, all language packs 


Unaffected Platforms 




Affected Versions Tested 


4.28 




4.30 




4.32 




4.34 




4.36 




4.38 
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5.12* 




5.20* 




5.30* 




5.32* 




5.40* 




5.42* 




5.44* 


Affected Versions Assumed 


None 


Unaffected Versions 




Reliability Rating 


Completely (100%) 


Reserve Price 


None 


Exploit / Proof-of-Concept Information 


Supported Platforms 


32-bit x86 Windows 2000 SP4 




32-bit x86 Windows XP SP3 




32-bit x86 Windows 2003 SP2 


Supported Versions 


4.28 




4.30 




4.32 




4.34 




4.36 




4.38 




5.12* 




5.20* 




5.30* 




5.32* 




5.40* 




5.42* 




5.44* 


Attack Vector 


Local, Man-in-the-Middle, and Client-Side** 


Exploitation Impact 


Code Execution 


Exploitation Context 


SYSTEM (locally, some remote cases), Current User (remotely) 


Exploitation Indicators 


Browser crash when using Client-Side vector 


Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Professional Exploit 


Development Goal 


Professional Exploit 



The exploit for this vulnerability is a universal platform and vector independent multi-stage exploit which 
handles DEP. Note that some platforms identified or assumed as vulnerable are not supported by the 
exploit as the exploit does not handle GuardStack protection, which is enabled in platforms such as 
Windows Vista, 7, and 2008. 

* The 5.x version branch is not supported by the Vendor for the Windows 2000 platform. 
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** Attack vectors include targeting a local executable, remotely targeting a Windows service, or targeting 
a web browser. 
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Chapter 19 



Open Source 



Open Source[35] refers to software or projects that are not backed by any particular vendor but are 
provided under various open source or free software licenses by the community or an individual. 



19.1 OpenPAM 

"OpenPAM[36] is an open source PAM library that focuses on simplicity, correctness, and cleanliness. Its 
aim is to gather the best features of Solaris PAM, XSSO and Linux-PAM, plus some innovations of its 
own. In areas where these implementations disagree, OpenPAM tries to remain compatible with Solaris, 
at the expense of XSSO conformance and Linux-PAM compatibility." 

14-001 OpenPAM Local Privilege Escalation and Remote Authentication 
Bypass 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 




Non-Exclusive Purchase 




Monthly License 


Listing Date 


2014-02-24 


Expiration Date 




Vulnerability Information 


Target 


OpenPAM 


Vulnerability Class 


Logic Flaw 


Affected Versions Tested 


Nummularia (20130907) 
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Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-64 FreeBSD 10 




2: x86-32 FreeBSD 10 


Affected Platforms Assumed 




Unaffected Platforms 


FreeBSD 9.2 




FreeBSD 8.0 




FreeBSD 4.11 




NetBSD 6.1.3 


Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


Nummularia (20130907) 


V 


V 



Asset Deliverables 



Documentation 


Asset Dossier including technical vulnerability and exploit documen- 
tation 


Exploits 


14-001-1 
14-001-2 


Exploit / Proof-of-Concept Information 


Exploit ID 


14-001-1 


Supported Targets 


1: Nummularia (20130907) on x86-64 FreeBSD 10 


Attack Vector 


Local 


Exploitation Impact 


Privilege Escalation 


Exploitation Context 


root 

Any user 


Exploitation Indicators 


Log entries in /var/log/messages 
Log entries in /var/log/auth.log 


Prerequisites 


Attacking user must be in the wheel group to escalate to root* 


Reliability Rating 


Target 1: Completely (100%) 


Exploit Failure Behavior 




Exploit Features 




Development Status 


Complete 


Deliverables 


Exploit 




Exploit ID 


14-001-2 


Supported Targets 


1: Nummularia (20130907) on x86-64 FreeBSD 10 


Attack Vector 


Remote 
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Exploitation Impact 


Authentication Bypass 


Exploitation Context 


root 




Any user 


Exploitation Indicators 


Log entries in /var/log/messages 




Log entries in /var/log/auth.log 


Prerequisites 




Reliability Rating 


Target 1: Completely (100%) 


Exploit Failure Behavior 




Exploit Features 




Development Status 


In Development 


Development Goal 


Developing remote exploitation scenario 


Deliverables 


Instructional 




Supporting shell script 



* However, the attacker can first escalate to any user who is in the wheel group, then escalate to root, so 
this is not much of a limitation as long as there is at least one user on the system who is in the wheel group. 



19.2 tcpdump 

"tcpdump[37] prints out a description of the contents of packets on a network interface that match the 
boolean expression. It can also be run with the -w flag, which causes it to save the packet data to a file 
for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to 
read packets from a network interface. In all cases, only packets that match expression will be processed 
by tcpdump." 

12-028 tcpdump Local Privilege Escalation and Backdoor with Firewall 
Evasion 



Vulnerability Information 



Asset Type 


Internal 


Listing Date 


2012.05.21 


Expiration Date 


2012.09.01 


Vulnerability Class 


Design Flaw 


Affected Versions Tested 


4.2.1 




4.1.1 




4.1.0 




4.0.0 


Affected Versions Assumed 


4.0.0 through 4.2.1 


Unaffected Versions 


Versions prior to 4.0.0 


Affected Platforms Tested 


1: x86-64 Ubuntu Linux 11.10 




2: x86-32 Solaris 11 
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3: x86-32 FreeBSD 9 




4: x86-64 Apple Mac OS X 10.7 (Lion) 


Affected Platforms Assumed 


All Linux 




All Solaris 




All BSD 




All Apple Mac OS X 


Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


3 


4 


4.2.1 


V 




V 




4.1.1 


V 


V 


V 


V 


4.1.0 


V 








4.0.0 


V 




V 





Exploit / Proof-of-Concept Information 



Supported Targets 


4.2.1 on x86-64 Ubuntu Linux 11.10 




4.2.1 on x86-32 FreeBSD 9 




4.1.1 on x86-64 Ubuntu Linux 11.10 




4.1.1 on x86-32 Solaris 11 




4.1.1 on x86-32 FreeBSD 9 




4.1.1 on x86-64 Apple Mac OS X 10.7 (Lion) 




4.1.0 on x86-64 Ubuntu Linux 11.10 




4.0.0 on x86-64 Ubuntu Linux 11.10 




4.0.0 on x86-32 FreeBSD 9 


Attack Vector 


Local 


Exploitation Impact 


Command Execution 


Exploitation Context 


root 


Exploitation Indicators 


Process Execution 


Prerequisites 


Must be able to execute tcpdump with the required elevated privi- 




leges (suid/sudo) 


Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


Backdoor mode with Firewall Evasion* 




Timed/Delayed execution 




Backdoor can be opened via similar technique to port knocking 



* This exploit is capable of being launched with a set of commandline parameters that allow it to function 
as a backdoor which can evade some firewalls. 
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Chapter 20 



Opera Software ASA 



"Opera[38] started in 1994 as a research project inside Norways largest telecom company, Telenor. Within 
a year, it branched out into an independent development company named Opera Software ASA. 

Today, Opera Software develops the Opera Web browser, a high-quality, multi-platform product for a 
wide range of platforms, operating systems and embedded Internet products including Mac, PC and 
Linux computers, mobile phones and PDAs, game consoles, and other devices like the Nintendo Wii, DS, 
Sony Mylo, and more. 

Operas vision is to deliver the best Internet experience on any device. Operas key business objective is 
to earn global leadership in the market for PC/desktops and embedded products. Operas main business 
strategy is to provide a browser that operates across devices, platforms and operating systems, and can 
deliver a faster, more stable and flexible Internet experience than its competitors." 



20.1 Opera Web Browser 

"The Opera Web Browser[39] is a high-quality, multi-platform product for a wide range of platforms, 
operating systems and embedded Internet products including Mac, PC and Linux computers, mobile 
phones and PDAs, game consoles, and other devices like the Nintendo Wii, DS, Sony Mylo, and more." 

13-018 Opera Web Browser Universal Client-side Remote Code Execu- 
tion 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 
Non-Exclusive Purchase 
Monthly License 


Listing Date 


2013-10-09 
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Expiration Date 



Vulnerability Information 



Ta rget 


Onera Web Browser 




Opera Mini Web Browser 


X/i 1 1 npra bil itv Cla^ 

V Ul 1 ILI a Ul 1 1 Ly v_ lu jj 


1 ocnr or Dp^ipti Flaw 

LUC IL \J\ 1 ' \Z- J 1 ££. 1 1 1 luVV 


Affprtprl \/pr«;inn<; TptitpH 

MCLLCU v CI 3IUI 13 1 C3 LCVJ 


Onpra 12 15 




Onpra 19 14 




Onpra 1 2 1 3 




Onera 19 1? 

V/pCI d L<L.i-£. 




Ooera 12 11 




Onpra 1 2 1 fl 




Ooera 12 02 




Ooera 12 01 




Onpra 1 2 00 




Onpra Mini 17 0 

uti a i v 1 1 1 ii xi . \j 




Onpra Mini 12 15 

\_y uci □ i v i ii ii j 




Onpra Mini 12 14 

\_y uv^i c i v i 1 1 1 1 x^.x r 




Opera Mini 12.13 




Opera Mini 12.12 




Opera Mini 12.11 




Opera Mini 12.10 




Opera Mini 12.02 




Opera Mini 12.01 




Opera Mini 12.00 


AffprtpH X/pr^inn^ A^mimpd 


Onpra 1 4 y 




Onpra 1 3 y 




Onera 12 x 




Opera Mini 16.x 




Opera Mini 15.x 




Onera Mini 1 4 x 

\_y uui a i v i 1 1 1 1 x r . a 




Opera Mini 13.x 




Opera Mini 12.x 


Unaffected Versions 


Opera 17.0 




Opera 16.x 




Opera 15.x 


Affected Platforms Tested 


1: Microsoft Windows 7 SP1 (FP:2013-10-09) 




2: Microsoft Windows Vista Ultimate SP2 (FP:2013-10-09) 




3: Microsoft Windows XP SP3 (FP:2013-10-09) 




4: x86-32 Ubuntu Linux 13.04 (FP:2013-10-09) 




5: Mac OSX 10.8 (FP:2013-10-09) 




6: iPhone I0S 6 (FP:2013-10-09) 




7: Android 4.3 (FP:2013-10-09) 


Affected Platforms Assumed 


All Microsoft Windows 




All Linux 




All Mac OSX 
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iPad IOS 6 




Sybian / Nokia mobile devices 




Nintendo Wii 




Blackberry mobile devices 


Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


3 


4 


5 


6 


7 


17.0 


N 


N 


N 


N 








12.15 


V 


V 


V 


V 








12.14 


V 


V 


V 


V 








12.13 


V 


V 


V 


V 








12.12 


V 


V 


V 


V 








12.11 


V 


V 


V 


V 








12.10 


V 


V 


V 


V 








12.02 


V 


V 


V 


V 








12.01 


V 


V 


V 


V 








12.00 


V 


V 


V 


V 








Mini 17.0 










V 


V 


V 


Mini 12.15 










V 


V 


V 


Mini 12.14 










V 


V 


V 


Mini 12.13 










V 


V 


V 


Mini 12.12 










V 


V 


V 


Mini 12.11 










V 


V 


V 


Mini 12.10 










V 


V 


V 


Mini 12.02 










V 


V 


V 


Mini 12.01 










V 


V 


V 


Mini 12.00 










V 


V 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


1: 12.x on all Microsoft Windows 
2: 12.x on all Linux 
3: 12.x on all Mac OSX 


Attack Vector 


Client-side Remote 


Exploitation Impact 


Code Execution (Windows, Linux, OSX)* 


Exploitation Context 


User 


Windows Integrity Level 


Medium 


Exploitation Indicators 




Prerequisites 


Javascript 


Reliability Rating 


Target 1: Completely (100%) 
Target 2: Completely (100%) 
Target 3: Completely (100%) 
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Exploit Failure Behavior 


n/a 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


Target Environment Cleanup 



* Additional impacts possible by leveraging this vulnerability include hijacking browser traffic, UXSS, 
browser configuration disclosure, and local file disclosure. Mobile platform targets are restricted to 
browser configuration disclosure. 
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Chapter 21 



Oracle Corporation 



"Oracle Corporation[40], an enterprise software company, engages in the development, manufacture, 
distribution, servicing, and marketing of database, middleware (computer software that connects software 
components or applications), and application software." 



21.1 Java 

"Java[41] allows you to play online games, chat with people around the world, calculate your mortgage 
interest, and view images in 3D, just to name a few. It's also integral to the intranet applications and 
other e-business solutions that are the foundation of corporate computing." 



10-030 Java Virtual Machine (JRE & JDK) Client-Side Remote Code 
Execution 

Vulnerability Information 



Asset Type 


Brokered 


Affected Platforms Tested 


32-bit x86 Microsoft Windows XP SP2 & SP3 

32-bit x86 Microsoft Windows Vista SP1 & SP2 

64-bit x86 Microsoft Windows Vista SP1 & SP2 

32-bit x86 Microsoft Windows 7 

64-bit x86 Microsoft Windows 7 

32-bit x86 Ubuntu Linux 10.10 kernel 2.6.35 i686 


Affected Platforms Assumed 




Unaffected Platforms 


Mac OS X* 


Affected Versions Tested 


7.0.4 

6.0.10 - 6.0.24 
6.0.0 - 6.0.7 
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5.0.22 




5.0.1 


Affected Versions Assumed 




Unaffected Versions 




Reliability Rating 


Completely (100%) 



Exploit / Proof-of-Concept Information 



Supported Platforms 


32-bit x86 Microsoft Windows XP SP2 & SP3 
32-bit x86 Microsoft Windows Vista SP2 
64-bit x86 Microsoft Windows Vista SP2 
32-bit x86 Microsoft Windows 7 
64-bit x86 Microsoft Windows 7 


Supported Versions 


JRE 6.0.20 - 6.0.24 
JRE 6.0.17 - 6.0.18 
JRE 6.0.7 
JRE 6.0.0 
JRE 1.5.11 
JRE 1.5.6 


Attack Vector 


Client-Side 


Exploitation Impact 


Remote Code Execution 


Exploitation Context 


User 


Exploitation Indicators 


On success there is no indication. On failure the JVM silently crashes 
resulting in hs_err_<pid>.log crash log file. 


Prerequisites 


None 


Reliability Rating 


Very Reliable (95%)** 


Development Status 


Active 


Development Goal 


Metasploit Exploit Module supporting all vulnerable platforms and 
versions listed. 


Development Phase 


Metasploit Exploit Module 



* Testing on Mac OS X was limited and may not represent the vulnerable state of all Mac OS X platforms. 

** Because failed attempts at exploiting the vulnerability result in a silent crash, exploitation can be 
repeatedly attempted until successful. 



21.2 Solaris SunSSH 

"Solaris SunSSH[42] is the internal Solaris SSH system." 
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14-006 Oracle Solaris SunSSHD Remote Privileged Command Execution 



Sale Information 



Asset Type 


Brokered 


Asset Availability 


Non-Exclusive Purchase 




Monthly License 


Listing Date 


2014-09-08 


Expiration Date 




Vulnerability Information 


Target 


Oracle Solaris SunSSHD 


Vulnerability Class 


Memory Corruption 


Affected Versions Tested 


2.0* 




1.5 




1.4 




1.3 




1.2 




1.1.5 




1.1.4 




1.1.3 




1.1.2 




1.1.1 




1.1 


Affected Versions Assumed 




Unaffected Versions 


1.0.1 




1.0 


Affected Platforms Tested 


1: x86 Solaris 11 (unpatched) 




2: x86 Solaris 10 (unpatched) 


Affected Platforms Assumed 


Solaris 11.1 




spare Solaris 11 




spare Solaris 10 


Unaffected Platforms 


Solaris 9 


Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


2.0* 


N 


N 


1.5 


V 




1.4 


V 




1.3 


V 




1.2 


V 




1.1.5 




V 


1.1.4 




V 
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1 


2 


1.1.3 




V 


1.1.2 




V 


1.1.1 




V 


1.1 




V 



Asset Deliverables 



Documentation 


Asset Dossier including technical vulnerability and exploit documen- 
tation 


Exploits 


14-006-1 - Exploit for x86 Solaris yiedling root shell 


Exploit / Proof-of-Concept Information 


Exploit ID 


14-006-1 


Supported Targets 


1: 1.5 on x86 Solaris 11 (unpatched) 
2: 1.1.4 on x86 Solaris 10 (unpatched) 
3: 1.1 on x86 Solaris 10 (unpatched) 


Attack Vector 


Remote 


Exploitation Impact 


Command Execution 


Exploitation Context 


root 


Exploitation Indicators 


Log entries for connection and child process crash if exploitation 
unsuccessful 


Prerequisites 


Network connectivity to SSH port (default 22) on the target 


Reliability Rating 


All Targets: Completely (100%)** 


Exploit Failure Behavior 


n/a 


Exploit Features 


Modified OpenSSH Client 
ASLR Handled 


Development Status 


Complete 


Deliverables 


Exploit 



* Solaris 11.1 ships with Sun SSH 2.0 by default. The vulnerable code is still present in this version 
however it is not able to be triggered in the same manner as the 1.x versions. 

** 100% reliability was achieved on first exploitation attempts only. Multiple exploitation attempts 
against the same running process that has been previously exploited is not supported. 



21.3 WebCenter Content 

"Oracle WebCenter Content[43] provides leading-edge solutions for all types of content management 
needs. From file server consolidation to sophisticated multisite web content management, Oracle Web- 
Center Content provides a robust, scalable solution, along with a powerful infrastructure that allows you 
to create content-enabled applications." 
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12-038 Oracle WebCenter Content Core Component Remote Authenti- 
cation Bypass and Code Execution 



Vulnerability Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 
Non-Exclusive Purchase 
Monthly License 


Listing Date 


2012.09.04 


Expiration Date 


2012.10.04 


Vulnerability Class 


Logic Flaw 


Target 


Oracle WebCenter Content* 


Affected Versions Tested 


llgRl 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: Oracle WebLogic Server on Microsoft Windows Server 2003 R2 


Affected Platforms Assumed 


All supported operating systems** 


Unaffected Platforms 




Reliability Rating 


High (95%)*** 



Vulnerability Test Matrix 





1 


llgRl 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


Oracle WebCenter Content llgRl on Oracle WebLogic Server on 
Microsoft Windows 2003 


Attack Vector 


Remote 


Exploitation Impact 


Authentication Bypass 
Code Execution**** 


Exploitation Context 


Application Administrator 
System User 


Windows Integrity Level 


N/A on Microsoft Windows Server 2003 R2 


Exploitation Indicators 




Prerequisites 




Reliability Rating 


Complete (100%) 


Development Status 


Active***** 


Development Phase 


Instructional 


Development Goal 


Professional or Multiple Exploits 


Exploit Features 
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* Note that Oracle WebCenter Content has achieved Department of Defense (DoD) 5015.2-STD version 
3 certification. 

** The vulnerability is a logic flaw. As such, the underlying platform and associated mitigations by such 
are irrelevant to exploitation. 

*** Reliability is not 100% due to the location of the vulnerability being in a core component. This core 
component is employed by multiple other product components, many with complex configuration options 
which may affect reliability. 

**** Code execution is achieved using existing legitimate functionality of the various components that 
becomes available post-auth. 

***** Support for additional target WebCenter Content components may be developed upon request. 
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Chapter 22 



Parallels IP Holdings GmbH 



"Parallels[44] is a worldwide leader in virtualization and automation software that optimizes computing 
for consumers, businesses, and service providers across all major hardware, operating system, and virtu- 
alization platforms. Founded in 1999, Parallels is a fast-growing company with 800 employees in North 
America, Europe, and Asia." 



22.1 Plesk Panel 

"The most widely used hosting control panel solution. Parallels Plesk Panel[45] is the first step for your 
business - toward faster sites and faster mobile access for website owners and toward a complete product 
line as your hosting business grows." 

13-003 Parallels Plesk Panel Remote Code Execution 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 
Non-Exclusive Purchase 
Monthly License 


Listing Date 


2013.03.28 


Expiration Date 




Vulnerability Information 


Target 


Parallels Plesk Panel 


Vulnerability Class 


Logic Flaw 


Affected Versions Tested 


9.5.4 FP(2013.03.26) 
9.3 FP(2013.03.26) 
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9.2 FP(2013.03.26) 
9.0 FP(2013.03.26) 
8.6 FP(2013.03.26) 


Affected Versions Assumed 


9.x below 9.5.4 inclusive 
8.x above 8.6 inclusive 


Unaffected Versions 


11.0.9 
10.4.4 


Affected Platforms Tested 


1: x86-64 Red Hat Enterprise Linux Server 5.9 

2: x86-32 CentOS 5.9 

3: x86-64 CentOS 5.4 

4: amd64 Debian GNU/Linux 5.0.7 

5: x86-32 Debian GNU/Linux 5.0.5 

6: x86-32 Debian GNU/Linux 4.0 

7: x86-32 Fedora Core 6 


Affected Platforms Assumed 


All CentOS* 
All Linux* 


Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


3 


4 


5 


6 


7 


9.5.4 


V 


V 


V 


V 


V 


V 


V 


9.3 


V 


V 


V 


V 


V 


V 


V 


9.2 


V 


V 


V 


V 


V 


V 


V 


9.0 


V 


V 


V 


V 


V 


V 


V 


8.6 


V 


V 


V 


V 


V 


V 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


9.5.4 on all tested Linux platforms 
9.5.4 on all tested CentOS platforms 
9.3 on all tested Linux platforms 
9.3 on all tested CentOS platforms 
9.2 on all tested Linux platforms 
9.2 on all tested CentOS platforms 
9.0 on all tested Linux platforms 
9.0 on all tested CentOS platforms 
8.6 on all tested Linux platforms 
8.6 on all tested CentOS platforms 


Attack Vector 


Remote 


Exploitation Impact 


Code Execution 


Exploitation Context 


Apache Webserver User 


Exploitation Indicators 


Apache log entries 


Prerequisites 


Default Plesk installation 
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Reliability Rating 


Completely (100%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 





* Due to this vulnerability being a logic flaw, the underlying platform is largely irrelevant and does not 
affect the viability of the vulnerability. 
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Chapter 23 



PineApp Ltd. 



"PineApp[46] TM is a leading security solution provider for Information Technology. 

PineApp offers comprehensive email security, email archiving and web filtering solutions that are available 
as an appliance or software (on a server or VMware platform). PineApps solutions are also available for 
service providers (ISPs) who wish to offer Cloud-Managed-Services and a DRP (Disaster Recovery Plan) 
solution to their customers. 

Founded in 2002, PineApp is headquartered in Israel, with branch offices in the US, Canada, UK, Spain, 
Italy, France, Russia and Singapore and has distributors in more than 50 countries." 



23.1 Mail-SeCure 

"PineApp Mail-SeCure[47] series appliance protects organizational networks from both targeted and non 
targeted email related threats. Mail-SeCure is equipped with cutting-edge perimeter security engines that 
focus on stopping the vast majority of threats by looking at the credibility of their sources before they 
penetrate the customers network. 

PineApps perimeter security approach helps save a substantial amount of system resources previously 
wasted on unnecessary content inspections. Mail-SeCure provides system administrators with the tools 
to handle both email-borne threats and a variety of email-related administrative tasks." 

11-011 PineApp Mail-SeCure Remote Command Execution 



Vulnerability Information 



Asset Type 


Brokered 


Vulnerability Class 


Input Validation 


Affected Versions Tested 


Mail-SeCure 3.70 


Affected Versions Assumed 


Previous versions employing the same web management code. 
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Unaffected Versions 




Affected Platforms Tested 


2: PHP 5.2.4 on Apache 2.2.6 on Mail-SeCure 1019SJ 
3: PHP 5.2.4 on Apache 2.2.6 on Mail-SeCure 2049SK 
4: PHP 5.2.4 on Apache 2.2.6 on Mail-SeCure 3029SK 
5: PHP 5.2.4 on Apache 2.2.6 on Mail-SeCure 5099SK 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


3 


4 


3.70 


V 


V 


V 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


Universal Mail-SeCure Target 


Attack Vector 


Remote Pre-Auth 


Exploitation Impact 


Command Execution 


Exploitation Context 


Root or Privileged User (qmailq) 


Exploitation Indicators 


Entry in the Apache webserver log. 


Prerequisites 




Reliability Rating 


Completely (100%) 


Development Status 


Active 


Development Phase 


Exploit 


Development Goal 


Professional Exploit 


Exploit Features 


Metasploit Exploit Module 
Post-exploitation interactive command shell 
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Chapter 24 

Safenet, Inc. 

"SafeNet[48] is the largest company exclusively focused on the protection of high-value information assets. 
SafeNet protects: 

• The Most Money That Moves - Securing 80% of all electronic banking transfers, the equivalent of 
$1 Trillion daily 

• The Most Digital Identities - Protecting government and Fortune 100 public key infrastructures 
(PKI's) with industry-leading strong authentication 

• The Most High Value Software - Over 80 million hardware keys sold, protecting intellectual property 
and providing efficient license management solutions 

• The Most Government Information - Proven and trusted by governments around the world, pro- 
viding the largest deployment of government communications security 

Today, We Are: 

• A Global Success - Over 25,000 customers in 100 countries, with 1,550 employees in 25 countries 

• Proven and Stable - Founded in 1983 with revenues in the hundreds of millions of dollars, and 
under private ownership 

• Best-in-class - Security technology products certified to the highest security standards 

• Experts - More than 550 security engineers developing cutting-edge technologies and patents 



24.1 Sentinel HASP 

"Sentinel HASP[49], formerly Aladdin HASP SRM, enables the use of either software- or hardware- based 
protection keys to enforce software protection and licensing. 
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With Sentinel HASP, you can increase your profits by protecting against losses from software piracy and 
intellectual property theft and enable innovative business models to increase value and differentiate your 
products. 

Sentinel HASP fully integrates with your existing software product lifecycle to minimize disruptions to 
development and business processes. Sentinel HASP features role-based tools and processes that allow 
your entire staff to focus on their core competencies. 

Featuring easy-to-use role-based tools for developers, product managers, order processing and production, 
Sentinel HASP ensures a short learning curve and optimum use of employee time and core competencies, 
thus ensuring quick time-to-market and the ability to quickly respond to changing market needs. 

Sentinel HASP provides the industry's strongest, most robustfk software security solution. For example, 
Sentinel HASP offers industry-leading support for licensing in virtual environments and is the first and 
only software licensing and reverse engineering protection tool solution on the market today to support 
J2EE applications." 

13-007 Safenet Sentinel HASP Local Privilege Escalation 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 




Non-Exclusive Purchase 




Monthly License 


Listing Date 


2013-08-10 


Expiration Date 




Vulnerability Information 


Target 


Safenet Sentinel HASP* 


Vulnerability Class 


Design Flaw 


Affected Versions Tested 


6.56 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x32 Microsoft Windows 7 SP1 (FP:2013-07-24) 


Affected Platforms Assumed 


All Microsoft Windows 


Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


6.56 


V 



Exploit / Proof-of-Concept Information 
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Supported Targets 


6.56 on x32 Microsoft Windows 7 SP1 (FP:2013-07-24) 


Attack Vector 


Local 


Exploitation Impact 


Privilege Escalation 


Exploitation Context 


SYSTEM 


Windows Integrity Level 


High 


Exploitation Indicators 




Prerequisites 


%PATH% environment variable must contain a directory with R/W 
privileges for Guest(User)** 


Reliability Rating 


Completely (100%) 


Development Status 


Active 


Development Phase 


Delayed Exploit*** 


Development Goal 


Exploit 


Exploit Features 





* Safenet Sentinel HASP comes pre-installed with a number of upmarket commercial software, including 
but not limited to: iXAM, 1C, Adroit Photo Forensics, SoilVision, Intella, Bohemia Interactive, CodeWare, 
RockScience, and many others. 

** Many common software installations perform an update to %PATH% that meets this requirement, 
including python, ActiveTCL, GTK+, ActivePerl, etc. 

*** Currently the exploit impact will only be achieved after system reboot or at a random time during 
the exploited system's uptime. Development is currently focused on improving this to immediate impact. 
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Chapter 25 



SoftMaker Software 



"Since 1987, the year the company was founded, SoftMaker[50] has been developing office software: word 
processing (Text Maker), spreadsheet (PlanMaker), presentation graphics (SoftMaker Presentations), and 
database (DataMaker) software. The "flagship" product SoftMaker Office is available for a wide range 
of operating systems: Windows, Linux, Google Android, Windows Mobile (Pocket PCs), and Windows 
CE. 

The prominent features of the software from SoftMaker are: intuitivity and ease of use, extremely high 
compatibility with the Microsoft Office file formats, and the sheer speed of the software this, together 
with attractive pricing, is an unbeatable combination. 

High-quality computer typefaces are the second pillar of SoftMaker's business. With the product lines 
MegaFont XXL and infiniType, home users and professional designers alike have affordable access to a 
first-class typeface collection." 



25.1 SoftMaker Office 

"Choose SoftMaker Office 2012[51] as your office suite, and you will get the job done in less time and 
with better results. SoftMaker Office is reliable, powerful, fast, and easy to use." 

14-003 SoftMaker Office Client-side Remote Code Execution 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 




Non-Exclusive Purchase 




Monthly License 


Listing Date 


2014-03-31 


Expiration Date 
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Vulnerability Information 



Target 


SoftMaker FreeOffice 
SoftMaker Office 2012 


Vulnerability Class 


Memory Corruption 


Affected Versions Tested 


FreeOffice rev684 
Office 2012 rev688 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-64 Microsoft Windows 7 Ultimate SP1 (en) (FP:2014-03-ll) 
2: x86-32 Microsoft Windows 7 Ultimate SP1 (en) (FP:2014-03-ll) 
3: x86-64 Microsoft Windows XP SP3 (en) (FP:2014-03-ll) 
4: x86-32 Microsoft Windows XP SP3 (en) (FP:2014-03-ll) 
5: x86-32 Ubuntu Linux 12.04 (FP:2014-03-ll) 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


3 


4 


5 


FreeOffice rev684 


V 


V 


V 


V 


V 


Office 2012 rev688 


V 


V 


V 


V 


V 



Asset Deliverables 



Documentation 


Asset Dossier including technical vulnerability and exploit documen- 
tation 


Exploits 


14-003-1 




14-003-2 




14-003-3 




14-003-4 



Exploit / Proof-of-Concept Information 



Exploit ID 


14-003-1 


Supported Targets 


1: Office 2012 rev688 on x86-32 Ubuntu 12.04 (FP:2013-03-ll) 


Attack Vector 


Client-side Remote 


Exploitation Impact 


Code Execution 


Delivery Mechanism 


File 


Exploitation Context 


User 


Windows Integrity Level 


Medium 


Exploitation Indicators 




Prerequisites 




Reliability Rating 


Target 1: Completely (100%) 



Table continued on next page... 
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- continued from previous page. 


Exploit Failure Behavior 




Exploit Features 


Post-exploitation cleanup 


Development Status 


Complete 




Exploit ID 


14-003-2 


Supported Targets 


1: FreeOffice rev684 on x86-32 Ubuntu 12.04 (FP:2013-03-ll) 


Attack Vector 


Client-side Remote 


Exploitation Impact 


Code Execution 


Delivery Mechanism 


File 


Exploitation Context 


User 


Windows Integrity Level 


Medium 


Exploitation Indicators 




Prerequisites 




Reliability Rating 


Target 1: Completely (100%) 


Exploit Failure Behavior 




Exploit Features 


Post-exploitation cleanup 


Development Status 


Complete 




Exploit ID 


14-003-3 


Supported Targets 


1: Office 2012 rev688 on x86-64 Windows 7 SP1 (FP:2013-03-ll) 




2: Office 2012 rev688 on x86-32 Windows 7 SP1 (FP:2013-03-ll) 




3: Office 2012 rev688 on x86-64 Windows XP SP3 (FP:2013-03-ll) 




4: Office 2012 rev688 on x86-32 Windows XP SP3 (FP:2013-03-ll) 


Attack Vector 


Client-side Remote 


Exploitation Impact 


Code Execution 


Delivery Mechanism 


File 


Exploitation Context 


User 


Windows Integrity Level 


Medium 


Exploitation Indicators 




Prerequisites 




Reliability Rating 


All Targets: Completely (100%) 


Exploit Failure Behavior 




Exploit Features 


Post-exploitation cleanup 


Development Status 


Complete 




Exploit ID 


14-003-4 


Supported Targets 


1: FreeOffice rev684 on x86-64 Windows 7 SP1 (FP:2013-03-ll) 




2: FreeOffice rev684 on x86-32 Windows 7 SP1 (FP:2013-03-ll) 




3: FreeOffice rev684 on x86-64 Windows XP SP3 (FP:2013-03-ll) 




4: FreeOffice rev684 on x86-32 Windows XP SP3 (FP:2013-03-ll) 


Attack Vector 


Client-side Remote 


Exploitation Impact 


Code Execution 


Delivery Mechanism 


File 
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October 6, 2014 



CONFIDENTIAL 



Page 116 of 134 



Assets Portfolio 



- continued from previous page. 



Exploitation Context 


User 


Windows Integrity Level 


Medium 


Exploitation Indicators 




Prerequisites 




Reliability Rating 


All Targets: Completely (100%) 


Exploit Failure Behavior 




Exploit Features 


Post-exploitation cleanup 


Development Status 


Complete 
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Chapter 26 



Siemens 



"Siemens[52] is a globally operating technology Company with core activities in the fields of energy, 
healthcare, industry, and infrastructure. On a continuing basis, we have around 362,000 employees as of 
September 30, 2013 and business activities in nearly all countries of the world and reported consolidated 
revenue of 75.882 billion in fiscal 2013. We operate in excess of 290 major production and manufacturing 
plants worldwide. In addition, we have office buildings, warehouses, research and development facilities 
or sales offices in almost every country in the world." 



26.1 SIMATIC WinCC 

"With the help of the options WinCC[53] Server and WinCC[53] Client, several operating and monitoring 
stations can be operated in a coordinated manner in the network with linked automation systems. In 
such a client/server architecture, one server can supply up to 32 connected clients with process and log 
data, alarms, screens, and reports." 



14-007 Siemens SIMATIC WinCC Client-side Remote Heap Control 



Sale Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 




Non-Exclusive Purchase 




Monthly License 


Listing Date 


2014-08-18 


Expiration Date 





Vulnerability Information 



Target 



Siemens SIMATIC WinCC 
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- continued from previous page. 



Vulnerability Class 


Memory Corruption 


Affected Versions Tested 


1.4.0. 0_1. 16. 0.16 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: Microsoft Internet Explorer 11 on x86-64 Microsoft Windows 7 
SP1 FP:2014-07-17 

2: Microsoft Internet Explorer 11 on x86-32 Microsoft Windows 7 
SP1 FP:2014-07-17 

3: Microsoft Office Word 2007 on x86-64 Microsoft Windows 7 SP1 
FP:2014-07-17 

4: Microsoft Office Word 2007 on x86-32 Microsoft Windows 7 SP1 
FP:2014-07-17 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


3 


4 


1.4.0. 0_1. 16. 0.16 


V 


V 


V 


V 



Asset Deliverables 



Documentation 


Asset Dossier including technical vulnerability and exploit documen- 
tation 


Exploits 


14-007-1 - Proof-of-Concept for Internet Explorer 11 
14-007-2 - Proof-of-Concept for Microsoft Office Word 2007 


Exploit / Proof-of-Concept Information 


Exploit ID 


14-007-1 


Supported Targets 


1: Microsoft Internet Explorer 11 on x86-64 Microsoft Windows 7 
SP1 FP:2014-07-17 

2: Microsoft Internet Explorer 11 on x86-32 Microsoft Windows 7 
SP1 FP:2014-07-17 


Attack Vector 


Client-side Remote 


Exploitation Impact 


Heap Control 


Exploitation Context 


User 


Windows Integrity Level 


Low 


Exploitation Indicators 




Prerequisites 




Reliability Rating 


All Targets: Completely (100%) 


Exploit Failure Behavior 


n/a 


Exploit Features 
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- continued from previous page. 



Development Status 


Active 


Development Goal 


Exploit 


Deliverables 


Proof-of-Concept 




Exploit ID 


14-007-2 


Supported Targets 


1: Microsoft Office Word 2007 on x86-64 Microsoft Windows 7 SP1 
FP:2014-07-17 

2: Microsoft Office Word 2007 on x86-32 Microsoft Windows 7 SP1 
FP:2014-07-17 


Attack Vector 


Client-side Remote 


Exploitation Impact 


Heap Control 


Exploitation Context 


User 


Windows Integrity Level 


High 


Exploitation Indicators 




Prerequisites 




Reliability Rating 


All Targets: Completely (100%) 


Exploit Failure Behavior 


n/a 


Exploit Features 




Development Status 


Active 


Development Goal 


Exploit 


Deliverables 


Proof-of-Concept 
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Chapter 27 



Tencent 



"Founded in November, 1998, Tencent[54] has grown into one of China's largest and most used Internet 
service portal. Since its establishment over the last decade, Tencent has maintained steady growth under 
its user-oriented operating strategies. On June 16, 2004, Tencent Holdings Limited (SEHK 700) went 
public on the main board of the Hong Kong Stock Exchange. 

It is Tencent's mission to enhance the quality of human life through Internet services. Presently, Tencent 
is providing value-added Internet, mobile and telecom services and online advertising under the strategic 
goal of providing users with "one-stop online lifestyle services". Tencents leading Internet platforms 
in China QQ[55] (QQ Instant Messenger), QQ.com, QQ Games, Qzone, 3g.QQ.com, SoSo, PaiPai 
and Tenpay have brought together China's largest Internet community, to meet the various needs of 
Internet users including communication, information, entertainment, e-commerce and others. As of Sep 
30, 2011, the active QQ users accounts for QQ IM amounted to 711.7 million while its peak concurrent 
users reached 145.4 million. The development of Tencent has profoundly influenced the ways hundreds 
of millions of Internet users communicate with one another as well as their lifestyles. It also brings 
possibilities of a wider range of applications to the Chinas Internet industry. 

Looking forward, Tencent remains committed to enhancing its development and innovation capabilities 
while strengthening its nationwide branding for its long term development. More than 50% of Tencent 
employees are R&D staff. Tencent has obtained patents relating to the technologies in various areas: 
instant messaging, e-commerce, online payment services, search engine, information security, gaming, and 
many more. In 2007, Tencent invested more than RMB100 million in setting up the Tencent Research 
Institute, China's first Internet research institute, with campuses in Beijing, Shanghai, and Shenzhen. 
The institute focuses on the self-development of core Internet technologies, in pursuing its development 
and innovation for the industry. 

Tencent's long term vision is to become the most respected Internet enterprise. In order to fulfill corporate 
social responsibilities and to promote civil Internet communities, Tencent has been actively participating 
in public charity programs. In 2006, Tencent inaugurated the Tencent Charity Fund, the first charity 
foundation set up by a Chinese Internet enterprise, and the public charity website gongyi.qq.com. The 
website focuses on youth education, assisting impoverished communities, care for the disadvantaged, and 
disaster relief. Tencent has currently begun a number of public charity projects across China. It strives 
to help build a harmonious society and to become a good corporate citizen." 
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27.1 QQ Player 

"Tencent QQ[55] provides total solution for Internet-based instant messaging (IM) platform. It supports 
comprehensive basic online communication functions, including text messaging, video and voice chat as 
well as online (offline) file transmission. It also supports cross platform communication between PC and 
wireless terminals. The new QQ2009 edition is fully compatible with Windows XP, Vista, Linux, Mac 
and other systems. Meanwhile, the third-generation QQ with "Hummer" as its core has strengthened 
the integration of various Internet services to build a complete, mature and diversified online life platform 
for users." 

13-004 Tencent QQ Player Client-side Remote Code Execution 



Asset Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 
Non-Exclusive Purchase 
Monthly License 


Listing Date 


2013.04.12 


Expiration Date 




Vulnerability Information 


Target 


Tencent QQ Player 


Vulnerability Class 


Memory Corruption 


Affected Versions Tested 


3.7 (892) 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: x86-32 Microsoft Windows 7 Ultimate SP1 FP(2013. 04.12) 
2: x86-64 Microsoft Windows 7 Ultimate SP1 FP(2013. 04.12) 
3: x86-32 Microsoft Windows 7 Enterprise SP1 FP(2013.04.12) 
4: x86-64 Microsoft Windows 7 Enterprise SP1 FP(2013. 04.12) 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Completely (100%) 



Vulnerability Test Matrix 





1 


2 


3 


4 


3.7 (892) 


V 


V 


V 


V 



Exploit / Proof-of-Concept Information 
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Supported Targets 


3.7 (892) on x86-32 Microsoft Windows 7 Ultimate SP1 
FP(2013.04.12) 

3.7 (892) on x86-64 Microsoft Windows 7 Ultimate SP1 
FP(2013.04.12) 

3.7 (892) on x86-32 Microsoft Windows 7 Enterprise SP1 
FP(2013.04.12) 

3.7 (892) on x86-64 Microsoft Windows 7 Enterprise SP1 
FP(2013. 04.12) 


Attack Vector 


Client-side 


Exploitation Impact 


Code Execution 


Exploitation Context 


User 


Windows Integrity Level 


Medium 


Exploitation Indicators 


Target software crashes 


Prerequisites 




Reliability Rating 


High (70%)* 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


ASLR Handled 
DEP Bypass 
Arbitrary Payload 



* Reliability is not 100% as sometimes various threads crash before exploit success. Multiple process 
threads access the memory being corrupted, therefore it would be difficult to achieve process continuation 
as well as 100% reliability. 
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Chapter 28 



Zabbix SIA 



"ZABBIX SIA[56] is based in Riga, Latvia. Its CEO is Alexei Vladishev, the owner and ZABBIX product 
manager. 

The basic work sphere of ZABBIX SIA is development of open source software for monitoring of networks 
and applications. Apart from that the company offers a wide range of professional services designed to fit 
every customer's unique business demands including implementation, integration, custom development 
and consulting services as well as various training programs. 

ZABBIX team's mission is to make a superior monitoring solution available and affordable for all. 

The company's flagship product is ZABBIX, one of the most popular open source monitoring software in 
the world. It is already used by a vast number of companies, who have chosen it due to real scalability, 
high and robust performance, ease of use and extremely low costs of ownership. 

ZABBIX SIA is privately held." 



28.1 Zabbix 

"Zabbix[57] is the ultimate open source availability and performance monitoring solution. Zabbix offers 
advanced monitoring, alerting, and visualization features today which are missing in other monitoring 
systems, even some of the best commercial ones." 

12-030 Zabbix Remote Code Execution 



Vulnerability Information 



Asset Type 


Brokered 


Asset Availability 


Exclusive Purchase 




Non-Exclusive Purchase 




Monthly License 
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- continued from previous page. 



Listing Date 


2012.06.21 


Expiration Date 




Vulnerability Class 


Input Validation 


Affected Versions Tested 


2.0.0 
1.8.5 


Affected Versions Assumed 




Unaffected Versions 




Affected Platforms Tested 


1: PHP 5.3.3-7+squeezel2 on Apache 2.2.16-6+squeeze7 on x86-32 
Debian 6.0.5 

2: PHP 5.4.4-2 on Apache 2.2.22-9 on x86-32 Debian test- 
ing(2012.06.21) 

3: PHP 5.4.4-2 on Apache 2.2.22-9 on x86-32 Debian unsta- 
ble(2012. 06.21) 

4: PHP 5.4.4 on Apache 2.4.2 on x86-64 Microsoft Windows 2008 
SP2 

5: PHP 5.3.14 on Apache 2.4.2 on x86-64 Microsoft Windows 2008 
SP2 

6: PHP 5.4.4 on Apache 2.4.2 on x86-32 Microsoft Windows 2003 
SP2 

7: PHP 5.3.14 on Apache 2.4.2 on x86-32 Microsoft Windows 2003 
SP2 

8: PHP 5.4.4 on Apache 2.4.2 on x86-32 Microsoft Windows XP 
SP3 

9: PHP 5.3.14 on Apache 2.4.2 on x86-32 Microsoft Windows XP 
SP3 

10: PHP 5.3.3 on Apache 2.2.15-15 on x86-32 CentOS 6.2 
11: PHP 5.1.6 on Apache 2.2.3-63 on x86-32 CentOS 5.8 


Affected Platforms Assumed 




Unaffected Platforms 




Reliability Rating 


Near-Complete (99%) 



Vulnerability Test Matrix 





1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


2.0.0 


V 


V 


V 


V 


V 


V 


V 


V 


V 


V 


V 


1.8.5 


V 


V 


V 


V 


V 


V 


V 


V 


V 


V 


V 



Exploit / Proof-of-Concept Information 



Supported Targets 


2.0.0 on all Affected Platforms Tested 
1.8.5 on all Affected Platforms Tested 


Attack Vector 


Remote Pre-Auth 


Exploitation Impact 


Code Execution 


Exploitation Context 


Webserver User 


Windows Integrity Level 
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- continued from previous page. 



Exploitation Indicators 


PHP files modifications 


Prerequisites 




Reliability Rating 


Near-Complete (99%) 


Development Status 


Complete 


Development Phase 


Exploit 


Development Goal 


Exploit 


Exploit Features 


PHP disabledJunctions restrictions bypass (multiple techniques) 
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Chapter 29 

Vulnerability History and Status 



Asset iu 


Description 


Status 


14-010 


Apple Mac OS X Privileged Local Command Execution 


Available 


14-009 




Pending 


14-008 


Mozilla Firefox Client-side Remote Code Execution 


Available 


14-007 


Siemens SIMATIC WinCC Client-side Remote Heap Control 


Available 


14-006 


Oracle Solaris SSHD Remote Privileged Command Execution 


Available 


14-005 


Microsoft Windows Kernel Local Privilege Escalation 


Available 


14-004 


Adobe Reader Client-side Remote Code Execution 


Available 


14-003 


Softmaker Office Client-side Remote Code Execution 


Available 


14-002 


Dell SonicWALL Scrutinizer Information Disclosure 


Sold 


14-001 


OpenPAM Local Privilege Escalation and Remote Authentication 
Bypass 


Available 


14-000 


Dell SonicWALL Scrutinizer Remote Code Execution 


Sold 


13-027 


F5 Networks BIG-IQ Post-auth Remote Privileged Command Execu- 
tion 


Unavailable 


13-026 


GKSu + Oracle VirtualBox Client-side Remote Privileged Command 
Execution 


Unavailable 


13-025 




Pending 


13-024 


McAfee ePolicy Orchestrator Post-Auth Priileged Remote Code Ex- 
ecution 


Available 


13-023 


McAfee ePolicy Orchestrator Post-Auth Priileged Remote Code Ex- 
ecution 


Available 


13-022 


Google Android Local Application Permissions Evasion 


Available 


13-021 


PHP Remote Command Execution 


Sold 


13-020 


Microsoft Windows Kernel Local Privilege Escalation 


Available 


13-019 


McAfee ePolicy Orchestrator Privileged Remote Code Execution 


Available 


13-018 


Opera Web Browser Universal Client-side Remote Code Execution 


Available 


13-017 


Mozilla Firefox Client-side Remote Code Execution 


Sold 


13-016 


Kingsoft Office Client-side Remote Code Execution 


Available 
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Table 29.1 - Continued 



Asset ID 


Description 


Status 




13-015 


ASUS Device Driver Local Privilege Escalation 


Available 


13-014 


ZeroShell Remote Privileged Command Execution 


Available 


13-013 


Microsoft Windows Kernel Local Privilege Escalation 


Available 


13-012 


Mozilla Firefox Client-side Remote Code Execution 


Sold 


13-011 


Adobe Photoshop Client-side Remote Code Execution 


Available 


13-010 


avast! Anti-Virus Local Privilege Escalation 


Available 


13-009 


Microsoft Internet Explorer Client-side Remote Code Execution 


Sold 


13-008 




Pending 


13-007 


SafeNet Sentinel HASP Local Privilege Escalation 


Available 


13-006 


Multiple BSD Jail Local Jail Escape and Privileged Command Exe- 
cution 


Available 


13-005 


avast! Anti-Virus Local Information Disclosure 


Available 


13-004 


Tencent QQ Player Remote Code Execution 


Available 


13-003 


Parallels Plesk Panel Remote Code Execution 


Available 


13-002 


Barracuda Web Filter Privileged Remote Code Execution 


Available 


13-001 


Oracle Solaris SSHD Privileged Remote Command Execution 


Sold 


13-000 


Barracuda Web Filter Privileged Remote Code Execution 


Available 


12-039 


Microsoft Internet Explorer Client-side Remote Code Execution and 
Information Disclosure 


Available 


12-038 


Oracle WebCenter Content Core Component Remote Authentication 
Bypass and Code Exeuction 


Available 


12-037 


Apple iOS Remote Forced Firmware Update Avoidance 


Available 


12-036 


Apple iOS Remote Forced Access-Point Association 


Unavailable 


12-035 


Microsoft Office Client-Side Remote Code Execution 


Available 


12-034 


Juniper Network Connect Server Local Privilege Escalation 


Available 


12-033 


Adobe Flash Player Client-side Remote Code Execution 


Available 


12-032 


Mozilla Firefox Client-Side Remote Code Execution 


Available 


12-031 


Dell SonicWALL Multiple Products Remote Command Execution 


Available 


12-030 


Zabbix Remote Code Execution 


Available 


12-029 




Pending 


12-028 


tcpdump Local Privilege Escalation and Backdoor with Firewall Eva- 
sion 


Available 


12-027 


Microsoft Windows Kernel Local Privilege Escalation 


Sold 


12-026 


Internet Explorer 8 Remote Code Execution 


Available 


12-025 


*** REDACTED *** 


Sold 


12-024 


Red Star OS Local Privilege Escalation with non-System Command 
Reboot 


Available 


12-023 


Red Star OS Local Privilege Escalation 


Available 


12-022 


Red Star OS Local Privilege Escalation 


Available 


12-021 


Red Star OS Local Privilege Escalation 


Available 


12-020 


Red Star OS Local Privilege Escalation 


Available 


12-019 


Red Star OS Local Privilege Escalation 


Available 


12-018 


Red Star OS Local Privilege Escalation 


Available 


12-017 


Red Star OS Local Privilege Escalation 


Available 
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Table 29.1 - Continued 



Asset ID 


Description 


Status 




12-016 


Red Star OS Local Privilege Escalation 


Available 


12-015 


Red Star OS Local Privilege Escalation 


Available 


12-014 


Red Star OS Local Privilege Escalation 


Available 


12-013 


Red Star OS Local Privilege Escalation 


Available 


12-012 


Red Star OS Local Privilege Escalation 


Available 


12-011 


Red Star OS Local Privilege Escalation 


Available 


12-010 


Red Star OS Local Privilege Escalation 


Expired 


12-009 


Red Star OS Local Privilege Escalation 


Expired 


12-008 


Red Star OS Sat Privileged Remote and Client-Side Command Ex- 
ecution 


Available 


12-007 


Webmin Privileged Remote Privileged Information Disclosure 


Expired 


12-006 


Webmin Privileged Remote and Client-Side Command Execution 


Expired 


12-005 


Webmin Privileged Remote Code Execution 


Expired 



12-004 



Microsoft Windows Local Protection Bypass 



Available 



12-003 



Microsoft Windows Local Privilege Escalation 



Available 



12-002 



Microsoft Windows XP Local Privilege Escalation 



Available 



12-001 
12-000 



*** REDACTED *** 
*** REDACTED *** 



Sold 

Unavailable 



11-033 



Microsoft Windows XP DLL Hijacking Client-Side Remote Code Ex- 
ecution 



Unavailable 



11-032 



BSD Perimeter pfSense Remote Privileged Command Execution 



Available 



11-031 



Nagios Enterprises Nagios XI Remote Code Execution 



Expired 



11-030 



Uptime Systems Up. Time Remote Privileged Code Execution 



Available 



11-029 



Rhinosoft Serv-U File Server Remote Information Disclosure 



Unavailable 



11-028 
11-027 



*** REDACTED *** 

Multiple FTP Server Remote Privileged Code Execution 



Unavailable 
Unavailable 



11-026 



*** REDACTED *** 



Sold 



11-025 



*** REDACTED *** 



Unavailable 



11-024 
11-023 



Apple Mac OS X Snow Leopard Privilege Escalation 
Apple Mac OS X Leopard/Tiger Privilege Escalation 



Expired 
Expired 



11-022 



Apple iTunes Device Update Privilege Escalation 



Expired 



11-021 



2011-0018 



NEC Voice Mail Remote Command Execution 



Tectia Server Pre-Auth Remote Code Execution 



Expired 



2011-0020 Microsoft Internet Explorer 7 Client-Side Remote Code Execution Sold 

2011-0019 Microsoft Internet Explorer 8 Client-Side Remote Code Execution Sold 



Sold 



2011-0017 



2011-0016 



2011-0015 



Kresimir Petric FreeFTPd Pre-Auth Remote Authentication Bypass Sold 
and Code Execution 

Kresimir Petric FreeSSHd Pre-Auth Remote Authentication Bypass Sold 
and Code Exeuction 



FreeBSD and NetBSD telnetd Pre-Auth Remote Code Execution 



Sold 



2011-0014 



Google SketchUp Client-Side Remote Code Execution 



Sold 



2011-0013 



Adobe Flash Player Client-Side Remote Code Execution 



Sold 



2011-0012 



Adobe Illustrator Client-Side Remote Code Execution 



Sold 



11-011 



PineApp Mail-SeCure Remote Command Execution 



Available 
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2011-0010 


Opera Multiple Products Client-Side Remote Code Execution 


Sold 


11-009 


*** REDACTED *** 


Sold 


11-008 


Atmail Multiple Products Input Validation Remote Code and Com- 
mand Execution 


Expired 


11-007 


Atmail Multiple Products Input Validation Remote Code and Com- 
mand Execution 


Expired 


11-006 


Atmail Multiple Products Input Validation Race Condition Remote 
Code and Command Execution 


Expired 


11-005 


Mozilla Firefox Client-Side Remote Code Execution 


Patched 


11-004 


Java Runtime Environment Client-Side Remote Code Execution 


Expired 


11-003 


*** REDACTED *** 


Sold 


11-002 


*** REDACTED *** 


Sold 


11-001 


*** REDACTED *** 


Sold 


2011-0000 


Microsoft Windows Local RingO Privilege Escalation 


Sold 


2010-0031 


Oracle Solaris Default Software Local Privilege Escalation 


Sold 


10-030 


Java Virtual Machine (JRE & JDK) Client-Side Remote Code Exe- 
cution 


Available 


2010-0029 


QNX Neutrino RTOS Default Software Local Privilege Escalation 


Sold 


2010-0028 


QNX Neutrino RTOS Default Software Local Privilege Escalation 


Sold 


2010-0027 


QNX Neutrino RTOS Default Software Local Privilege Escalation 


Sold 


10-026 


*** REDACTED *** 


Sold 


2010-0025 


Enterasys Network Management Suite Remote Code Execution 


Sold 


2010-0024 


Adobe Shockwave Player Client-Side Code Execution 


Sold 


2010-0023 


Java Runtime Environment Auto-Update Remote Code Execution 


Sold 


2010-0022 


Alcohol 120% Remote Code Execution 


Sold 


2010-0021 


ESET NOD32 Antivirus and ESET Smart Security Remote Pre-auth 
Code Execution 


Sold 


10-020 


*** REDACTED *** 


Sold 


10-019 


Microsoft Windows Core Component Client-Side Remote Code Ex- 
ecution 


Patched 


10-018 


Symantec Web Gateway SQL Injection 


Unavailable 


2010-0017 


Windows Messenger ActiveX Code Execution 


Sold 


2010-0016 


Java Runtime Environment Auto-Update Code Execution 


Sold 


10-015 


Flash Client-Side Code Execution 


Unavailable 


10-014 


Malicious Portable Executable Detection Bypass 


Available 


2010-0013 


Java Runtime Environment Local Privilege Escalation 


Sold 


10-012 


Quicktime Code Execution 


Unavailable 


2010-0011 


Quicktime Client-Side Remote Code Execution 


Sold 


2010-0010 


Java Runtime Environment Client-Side Remote Code Execution 


Sold 


2010-0009 


Java Runtime Environment Local Privilege Escalation 


Sold 


2010-0008 


.NET Client-Side Code Exec 


Sold 


10-0007 


Java Runtime Environment Client-Side Remote Command Execution 


Patched 


10-0006 


Quicktime Client-Side Remote Code Execution 


Patched 


2010-0005 


AIX Local Privilege Escalation 


Sold 
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10-004 


Novell Client Remote Code Execution 


Available 


10-003 


Ventrilo Client Remote Code Execution 


Unavailable 


2010-0002 


Microsoft Office API Remote Code Execution 


Sold 


2010-0001 


Adobe Reader Client-Side Remote Code Execution 


Sold 


2010-0000 


McAfee Anti-Theft Auth Bypass 


Sold 
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